Magazine Article | February 1, 2006

Become A (Well-Paid) Compliance Teacher

Educating customers about the importance of complying with industry regulations is helping this VAR reap $2.1 million in new business this year.

Business Solutions, February 2006
Written by: Jay McCall
Does Your Vendor Take A Holistic Approach To Security?

Networking VAR Sacramento Technology Group believes in thoroughly evaluating its customers’ networks and policies before implementing a plan of action. An equally important part of the VAR’s sales strategy is the vendors it partners with. One networking vendor that shares Sacramento Technology’s philosophy is Radware. Radware has a suite of networking products that cover three aspects of networking: WAN (wide area network) management, physical network security, and application front end management. Each aspect of the Radware suite, which is called APSolute Security, requires a high degree of engineering skill and networking experience to install and configure. Even though it could allow any VAR to resell its products, Radware maintains strict control over who resells its products. In fact, besides requiring $1,000-plus training courses and passing test scores, the vendor adds an extra step before approving a VAR to resell its products. “After a VAR passes the written exam, it must complete up to five installations while being shadowed by one of our engineers,” says Paul Fiore, senior director of channel programs at Radware. “During this time, we evaluate the VAR’s performance with the equipment as well as its interaction with end users.”

Even though Radware is very strict about whom it allows to resell its products, it does try to incentivize VARs that are successful in one aspect of networking to close sales in other areas. For instance, Sacramento Technology, which has completed certification training in Radware’s WAN and network security vulnerability categories, sometimes uncovers sales opportunities that are outside its field of expertise. For example, if the VAR discovers a customer has a need for an application front end solution (e.g. SSL [secure socket layer] acceleration, URL filtering equipment, and/or load balancing equipment), it doesn’t have to turn the business over to another VAR. “Because Sacramento Technology is a growing VAR that has demonstrated a commitment to us and to running its business according to industry best practices, we’ll send our engineers to aid with the installation and credit the commissions to the VAR,” says Fiore.

Sacramento Technology Group LLC remembers the folly of being a network security box seller. When the VAR first started out a few years ago, it used cold calling and mailings to bring in new business. This strategy led to a few interested replies, but they weren’t the kind of customers the VAR wanted to attract. “Most responses were from companies that were already in the process of buying new networking appliances and were just looking for price comparisons,” recalls George Usi, president and CEO of Sacramento Technology Group. “We sold a few procurement tools that way, but we often found ourselves in bidding wars with other VARs.”

Sacramento Technology realized it needed to offer something more, and it took drastic measures to change its business model. Today, product sales account for only 30% of its total sales revenue. The rest comes from educating customers about complying with regulations.

Help Customers See Their Need For Network Security Compliance
Sacramento Technology educates customers about the importance of security and disaster recovery. More specifically, it educates them (via Webinars and lunch-and-learns) about complying with industry regulations related to security and disaster recovery.

At its lunch-and-learns, the VAR invites its vendor partners, existing customers, and new prospects. One principle Sacramento Technology follows is accepting minimal co-op money from vendors. “We like to have control over our educational events and not feel we have to plug a particular vendor’s product because it made a financial contribution,” says Usi. “Typically we have between 20 and 40 people from 15 to 25 companies in attendance.”

Another principle the VAR follows entails including more existing customers than prospects in the audience. In fact, most events include only three to four prospects for every six to seven existing customers. The reason is new prospects that attend a seminar will turn to their peers for questions or advice rather than approaching the VAR. “It’s one thing to ask prospective customers to read case studies about successful installations,” says Usi. “It’s a whole different thing to have them talk to the guy sitting next to them who’s already completed a similar project with our help.”

Sacramento Technology’s seminars have a strong emphasis on compliance, which often isn’t the most interesting topic for IT people who just want to get their hands on the latest network appliances. As a result, the VAR emphasizes to new customers the presentation is geared toward managers and/or business executives. Some of the compliance mandates and networking strategies Sacramento Technology covers during its presentations include:

  • HIPAA (Health Insurance Portability and Accountability Act) — legislation passed in 1996 that includes a privacy rule creating national standards to protect personal health information
  • Sarbanes-Oxley — a law administered by the Securities and Exchange Commission to regulate corporate financial records and provide penalties for falsification of data
  • COBIT (Control Objectives for Information and related Technology) — a framework for information security created by the Information Systems Audit and Control Association (ISACA)
  • SB1386 — a California Senate Bill (SB) that requires businesses to inform all their clients in the event of a network security breach
  • IPv6 (Internet Protocol version 6) — a new Internet architecture that is built on a 128-bit architecture and includes end-to-end security
  • FCAPS (fault, configuration, accounting, performance, and security) — the ISO model for network management, the primary standard network security VARs and consultants follow to troubleshoot and secure networks
  • Gramm-Leach-Bliley Financial Services Modernization Act — an act that requires banks, insurance companies, brokerages, and other financial institutions to establish administrative, technological, and physical safeguards to ensure the confidentiality and integrity of customer records and information

The VAR earns about 50% of its business through Webinars and seminars (the other half comes from vendor leads). One of the ways Sacramento Technology earns the respect of new customers is via its engineers’ credentials. For example, each lead engineer at Sacramento Technology is either CISSP (Certification for Information Systems Security Professional)- or CISM (Certified Information Security Manager)-certified, which are ANSI (American National Standards Institute)-approved certifications developed by the ISACA for experienced information security managers and those who have information security management responsibilities. Additionally, the VAR is involved with professional and technological organizations such as the IPv6 Task Force, which makes recommendations to the federal government about how it should upgrade its networks from the existing IPv4 (Internet Protocol version 4) format to the next-generation architecture.

Hold Customers To A High Network Security Standard
After the VAR finds a few strong prospects from its initial meeting, the next step is to set up a one-on-one appointment with the customer to get to know the customer’s work environment, physical network, and compliance concerns. During this phase, Sacramento Technology never mentions a particular kind of hardware or software solution. Taking a consultative approach can extend the sales cycle up to 6 months — compared with just 60 days for a product sale. But, the VAR has learned the wait is worth it. “Only after we’ve done a thorough evaluation can we make the right recommendation,” says Usi. Also, by being thorough, Sacramento Technology can uncover security vulnerabilities the customer didn’t know it had. For example, one part of the evaluation entails having technicians walk the customer’s work area and observe the customer’s employees at work. This can reveal a host of security violations. “We may discover employees are running bandwidth-hogging and virus-prone applications such as Kazaa, or we might discover there are a lot of peripheral storage devices being used, which can pose a network security threat,” says Usi.

Occasionally, a customer will disagree with Sacramento Technology’s recommendation and will insist on solving a network problem a different way. After several attempts to get the customer to see things its way, the VAR tells them, “Do what you want, but don’t buy your security products from us.” Usi recalls one customer that went against Sacramento Technology’s advice and bought a low-end load-balancing appliance from another VAR. “After a spike in network traffic, the low-end load balancer failed, the network crashed, and the customer’s VAR wasn’t available to help,” says Usi. “The customer came back to us for help, and it’s been very loyal ever since.” Usi says one of the reasons Sacramento Technology Group is strict with customers about network security is that if a customer’s data is compromised, the VAR that installed the network security could share some of the legal ramifications. Simply put, if you’re a VAR that bases your business on being a network security expert, a security breach for one of your customers could spell bad news for you, too.