Harbor finds its anchor in Australia

Regulatory changes and increased cybersecurity risks in Australia have presented UK-owned Harbor Solutions with the right opportunity to expand into the local market.

Headquartered in Hertfordshire, United Kingdom, the MSP was founded in 2014 specialising in data protection, backup, disaster recovery, and cyber resilience. In June, the MSP, had entered the Australian and New Zealand (A/NZ) market with Steven Baker, former Rubrik regional sales director for A/NZ, leading the local expansion.

In an interview with ARN, Baker and Harbor Solutions CEO James Harris explained the reason behind expanding into Australia, the changing landscape for backup and recovery.

“We looked around the world as part of our expansion plans over the next few years,” he said. “It’s an important part of our journey having been formed out of the UK markets and the regulated markets we’ve traditionally serviced.

“These have mostly been larger organisations, tier one to tier three, particularly in the finance, legal, and regulatory space.”

Baker felt there was an opportunity for Harbor to provide local customers with the ability to de-risk.

“The backup market is crowded, and customers do have a conundrum when they know they need to modernise,” he said. “They know they need to address some of the challenges, the regulatory challenges.

“I’ve come from a customer background as well as vendor, and so it was the perfect storm for me to be that conduit.”

Baker has worked closely and directly with customers on the vendor side through his time with Rubrik [and] he also spent time working in ICT teams across a number of industries.

“I know from previously working with customers that that is a real challenge,” he said. “It’s not always easy finding organisation to adequately cover those gaps.”

His local customer experience was important for Harbor as well, noted Harris. To not have local knowledge would be a significant problem for the MSP, as it works closely with its customers in the UK.

“We’ve worked with [current customers] for years, around these types of services,” he said. “These types of services are quite high-risk to deliver if you’re a partner.  

“But they’re very interesting, sticky, long-term services that partners want to have now. People like Steve have been in the industry for a long time [and has] those relationships.”

Baker will be joined by Luke McDougall who takes on the role of regional sales director. He joins Harbor after spending three years at Rubrik, in the role of regional sales director.

Harris said while Baker and McDougall are the “initial landing” for Harbor in Australia, with MSP looking to expand the local team “significantly in time”.

“We’ve got project management already deployed in region, [and] we will be scaling the team,” he said. We’re now rolling out and launching, [with] significant investment in people over the course of this next, this next six months.

Keeping it regulatory

Harris said it took Harbor about a year to launch in Australia, from the initial discussion with Baker to when the deal with Rubrik was signed.

“Our conversation started early last year,” said Baker. “We [Harris and Baker] first had an introduction, and then I met with the CIO, Nick Baron, and CRO [chief revenue officer], James Connelly [to discuss] the market.

“Obviously, Harbor was the largest global MSP for Rubrik at the time, and that’s how the dots were joined for me initially.”

Harris said the MSP did its research and while Australia and the UK had their own unique markets there was “definitely a strong cultural linkage”.

“We also saw a familiar wave of regulatory change beginning to hit the Australian markets [which was] something we understood well,” he explained. “We had access to great talent, like Steve [Baker] and it really felt like a perfect storm…it made sense for us to land there.

“We had a solid understanding of the market, and being close to Rubrik gave us inside insight into what was happening in the region.”

This was combined with what Harris saw as “a real opportunity for a specialised service provider”

“We don’t believe there are many of those in the area [and] we saw Australia as greenfield territory,” Harris said. “It presented limited risk, in a known market, with known challenges.

“That regulatory position is always a key driver, organisations are looking for guidance when navigating unfamiliar territory. We see ourselves as an advanced partner in helping them down that path.”

In Europe, under the Network and Information Systems utility companies that provide essential services must improve their own cyber security or face financial fines of up to $35.5 million (£17 million) and this will be extended to include MSPs.

However, just over 9,800 small and micro-UK-based MSPs would not be in scope, as they would be subject to the small and micro exemption, although this could potentially change.

In November 2024, the Australian government’s Cyber Security Act that came into place “directly referenced UK legislation around MSPs and around cyber security”.

“I think if you look at the market dynamics we’re facing, as consumers, as people, and as organisations, data protection is in a far more demanding state than we’ve ever seen,” said Harris. “That’s true from both a client expectation perspective and a risk perspective.

“When you combine that with the limited internal resources most teams have, they’re now expected to deal with rising risks, increasing regulation, and growing complexity.”

A good example of that is validation, proving recovery capabilities actually work, which ten years ago in the UK that kind of testing was done irregularly at best.

“Now, it has to be automated, measured, and audited,” explained Harris. “It’s not just best practice, it’s compliance-driven and directly tied to your ability to operate in the market. All of that is putting even more pressure on already stretched teams.

“When you consider the risk of failure, not just from a compliance standpoint but from real-world impact, you start to understand why this is such a serious concern.”

Standing with trust

In Australia, there aren’t the same regulatory points for MSPs that there might be over in Europe. Instead, customers must rely on the “trust, credibility, and reference-ability” of their IT service provider, pointed out Harris.

“The global spend on the defence against security attacks, whether a malicious attack or otherwise, it’s billions and billions of dollars… hundreds of billions,” he said. “But if you look at the actual recovery stack, it’s different, because people are really trying to avoid it happening.

“Whereas we’re in the recovery space, when it’s happened, we kind of assume that at some point the bad guys are going to get in. Our focus is really trying to open clients’ eyes to the processes, notifications [and] the things [are needed] to test for.”

The slowest part of any recovery is typically the client’s decision-making, said Harris.

“If we can improve that, and at our level it becomes a very specialised discussion, you can guide an organisation through its entire recovery process,” he noted. “Tooling is key, but so are the people, the processes, and the validation, so the organisation can honestly say to itself.”

MSPs like Harbor, test and do everything it can to enable the customer to recover quickly and focus on the most important applications first, “bring them back in that situation”, explained Harris.

In turn, ensuring the customer works with an organisation that can take them across the technology world, from a legacy platform through to a far more defensible recovery position.

“The environment is huge, take Microsoft 365, cloud services, on-prem systems… data is everywhere and constantly changing,” he said.  “That landscape isn’t going to stabilise anytime soon [and] if you step back and look at that as a market dynamic.

“It’s clear that organisations need help [and] they don’t have the capacity to solve all of this on their own.”

A/NZ country manager, Baker said Harbor has aligned its capability stack to meet Australian regulatory requirements like the Essential Eight, The Security of Critical Infrastructure Act 2018, and various privacy principles.

“It allows us to stand up with confidence and say we are ready for when the time comes,” he said. “We know the strengths of the platforms we use, and this ensures the applicable compliance measures are covered in both the stack and the service delivery.”

Partners today have the challenge of how to deliver into their client base, Baker has that trust, and heritage, noted Harris.

“If you’re thinking about partnering with a customer or a reseller that listening is key but really focusing on what that customer outcome needs to be,” said Baker. “I have been the customer in previous roles; I was acutely aware [when] I was after a partner that could be with me through thick and thin.

“I think if you’re able to achieve that bond and trust with your customer, then you need to demonstrate that.

“You need to be accountable, you need to be transparent, and you need to be there for them and adapt to change, because every customer ecosystem is going to go through change.”

This way of thinking is required in the backup and recovery market, particularly with the “as-a-service” side of it has evolved significantly in response the pressures customers face.

“We’re seeing demand from clients who expect a higher level of support and specialisation, and we’re ready for that,” said Harris. “With the client base we already serve, we feel very confident and energised about what’s next.”