After moving into a newly created EMEA-wide role, Grunwitz updates us on NTT's security restructure, betting big on GDPR, and why NTT Security isn't afraid of going head to head with Europe's MSSP newcomers
NTT Security dismantled its sub-regional management structure last week, in favour of an EMEA-wide approach, which saw central European boss Kai Grunwitz (pictured) move into a newly created role as senior vice president of EMEA. Meanwhile, country lead for France Christophe Jourdet took on a second responsibility as director of alliances for EMEA, while Charles Bovey - the firm's Benelux lead - took on an EMEA-wide role as director of managed security services pre-sales.
The spate of new appointments follows a massive overhaul of parent company NTT's security operations last year. NTT Com Security - along with US subsidiary Solutionary and Australian managed security platform Earthwave - were folded to create NTT Security last August, which saw around 200 sales staff transferred to NTT's other operating companies Dimension Data and NTT Data.
A few months before the restructure, NTT Security's then SVP of marketing Gavin Bradbury told CPI Europe that the firm was being "marked down" in the industry for not providing a "joined-up" approach to security, and the new company structure would relinquish competition between NTT's operating companies.
Now, just over a year on from the advent of NTT Security, Grunwitz shares with us how the firm's new go-to-market strategy is helping win new business, and making it easier for customers to interact with the firm as a whole.
The recent EMEA appointments represent the latest step in NTT Security's new go-to-market strategy. How has this changed how you deal with your customers?
It is never an easy process to change an organisation that has been established for a while, but with our new strategy of changing our go-to-market approach and selling through the operating companies, it was necessary to change a couple of things.
As a specialised security company, we are driving mainly managed security services and consulting services through our operating companies and having them sell large overall transformation deals. Digitalisation is driving large projects, and security is always part of that. With the new structure, we have eliminated any competition between our operation companies; now there is none at all.
We have looked at our structure which was pretty much regionalised and country-based, but today the projects are more international and require a lot of collaboration in EMEA. Sometimes you have good skills in one country that you could need in another. Also, you have to be very clear about sharing best practices across borders because what we do with the operating companies in Germany is beneficial in the UK as well, so we are trying to drive more in an EMEA functional structure to leverage the synergies there.
Are you still reselling vendor solutions? How has NTT Security's priorities changed over the years?
We moved away from reselling towards being a pure services company, so we are focusing purely on the growth on the services side. Today, 70 per cent of our new business on the services side is going through the operating companies, and the reselling business we transfer to the operating companies anyway.
At the moment reselling is not a focus for us; we use our operating companies to do the reselling business. We have a team working with Gary Sidaway (SVP of security strategy and alliances); he is driving collaboration across operating companies on a global level to make sure our vendor partnerships have been transferred in a proper way and our business is covered by all operating companies. We see that NTT Data, Dimension Data and NTT Europe are really picking it up and we have had very good feedback from our partners about how we handle the transition on that side.
Have there been any teething problems when aligning your customers with the new company structure?
Of course, you always have the consideration that some customers would love to continue working with us, but we try to be as consistent as possible. That is why hitting 70 per cent of the services business through the operating companies is a good result for me. We still have some clients that will be transferred step by step, into an indirect channel model or wholesale model, but we don't push for that if it would affect any customer relationships because the key goal for us is to retain all our clients.
On the customer side we only had a few changes. Most of our clients already have contracts with at least one or two of our other entity companies. It was more to make clear that the procurement process now flows through one company in the future, which is a big advantage for our clients because it simplifies their procurement process. Especially with the large clients, it means they don't have to contact Dimension Data and NTT Security, they can instead just go all through Dimension Data.
With cybersecurity attacks hitting the headlines on an increasingly regular basis, MSSPs must be more relevant than ever. What do you see as the major sales and growth opportunities for NTT Security today?
The most important area for us is the managed security services area; we see that the market is still ramping up. Not a lot of companies have decided to move with a managed security service (MSS) provider and many are still in the process of evaluating their options. Only six per cent [of companies in EMEA] are working with an MSSP today.
When I talk about MSS I don't mean the standard device management, where you are managing firewalls and that sort of thing. That is still a service we deliver, but it is not for us a differentiating service in the market. A lot of companies can deliver device management but we have moved on as a company and we are focusing on the high-value advanced analytics, which means detecting any threats before they affect the company.
We see strong growth here because clients struggle at the moment in really getting the best out of their monitoring solutions or so-called SIEM solutions. It requires a lot of people to implement, run and analyse the data that has been generated with an SIEM tool. Large clients might have enough people, but the upper-mid market, and also some larger clients really struggle because they want to have their security people work on other things, not only on monitoring what is going on in their environment.
GDPR is looming on the horizon. How far along are European companies with compliance, and do you see it as a sales opportunity?
Talking about GDPR in security is unavoidable at the moment. We are coming close to May now, and there are still a lot of companies that have not really understood how critical it should be for them. We see companies in the US or the UK who still think it doesn't affect them because Brexit is coming and we have the US, which is far away from Europe, so they think it is not relevant. But the regulation is valid for all companies that do business in the European area.
Overall, there is still a lot of work to be done in Europe. Only 39 per cent of the companies in the UK have identified GDPR as a risk for them, according to our research, but they are now catching up step by step. We are not much better in most other European countries, to be fair. I think in Germany and Austria we are at 53 per cent, so not so good; the UK is a little bit behind but so far the others are not so far ahead. Switzerland is number one with 58 per cent.
This is good news for us at the moment, because we have a great team and a great GDPR framework. We have invested in supporting the documentation and handling the incident response for our customers, but also the risk management processes where we have a team implementing tools such as RSA Archer or others. The governance, risk and compliance (GRC) business along with GDPR is a massive growth area for us at the moment.
In the end, the opportunity is on the consulting side and the technology side. The consulting opportunity is there to define the procedures and understand where the clients are. But we see a technology opportunity as well because we have to automate the processes, but also analyse weakness and data flow.
A client could say 'I want you to delete my personal data', then you have to find it and delete it on a global scale; that is a technology challenge. Quite often it starts with the consultancy engagement to identify the gaps, then it moves on to a technical one.
The past few years have seen a number of MSSPs grow into major European players. SecureLink has become a 625-employee-strong MSSP while NCC has acquired eight firms in the last six years and grown its headcount to more than 900 staff. How have you reacted to this new competitive landscape?
We have a competitive landscape out there and we acknowledge they are also spending up; I would be stupid not to recognise that. On the other hand, our key differentiator is that we are one of the few real global players in that area. If you look at some of the companies, they have either a strong country-specific footprint where they have local shops and they are good at managing the infrastructure, but they definitely lack the global threat intelligence. They don't have the capacity that we have to invest in developers - let's say hundreds of developers - to continue work on the platform used to monitor the environment.
We are a real global player with 1,500 people now and we are one of the largest specialised security companies, if not the largest. A lot of players do security on top of their networking business, but we do it only, that is the only business we do.
We see a lot of players buying point solutions and putting together a platform based on a standard SIEM implementation. But with our platform, which uses machine learning, we are much faster at identifying problems than the patchwork of solutions put together by a lot of players in this market.
If you look at the global coverage and the unique detection capabilities we have and all our R&D power at NTT, we are in a good position to win further market share especially if you look at the sales coverage we bring to the table as well. Consider the number of salespeople across NTT Data, Dimension Data, NTT Europe, e-shelter, and Everis, which are all part of the NTT Group.