Don't Overlook SMB Security Sales Opportunities

Your SMB customers are especially vulnerable to Internet security attacks. In fact, the Symantec Internet Security Threat Report says that Microsoft Internet Explorer was targeted by 77% of all malicious attacks specifically targeting Web browsers. How many SMB customers do you have that use Explorer? Symantec documented 2,526 vulnerabilities in the second half of 2006, 12% higher than the first half of 2006, and a higher volume than in any other previous six-month period. The point is that Internet security threats are increasing, especially for SMB customers who tend to be more vulnerable than enterprise customers.

That vulnerability is due to the fact that many SMBs have yet to completely come to grips with the idea that they are targets. "As the larger enterprises become more prepared for attacks, SMBs are being targeted by hackers, phishers, and spammers on the belief that SMBs may be easier marks," explains Darrell Rodenbaugh, SVP of the global midmarket segment for McAfee. In addition, SMBs are generally unwilling or unable to hire full-time security specialists. "Our studies show that when an SMB reaches the size of 300 to 500 employees, it's time to make the investment in a security specialist," adds Rodenbaugh. Those customers with fewer than 300 employees are looking for help in installing and using security technology — creating opportunities for VARs.

Security Simplicity Is Key With SMBs
VARs can play a major role in helping to protect customers from the wide variety of security threats to customers' networks. However, the threat landscape can be very overwhelming to VARs that are not security experts. "Security is intimidating because it's not simply about viruses anymore," says Keith Lubner, director of channel alliances for Grisoft (AVG). "SMB customers know they need more than just virus protection, but many are hesitant because they are confused as to what solution is best for them. To address both VAR and SMB customer concerns, we promote the 'behind the scenes' method of security protection. That means VARs are able to sell, install, and configure the software easily, and customers shouldn't have to constantly be reminded that security software is loaded on their computers. Processes like updates should happen quickly and easily, and virus scanning should be seamless."

Nancy Reynolds, VP of SMB channel marketing and sales for Trend Micro, says, "Small businesses are looking for security solutions that provide protection minus any headaches." To prevent those headaches, Trend Micro uses a philosophy of simplicity when designing and delivering small business security products through the channel. "Most recently, we've taken steps to simplify how our channel partners can more efficiently manage security for multiple SMBs by providing a Web-based management service."

McAfee's Rodenbaugh agrees. "VARs need solutions that are easier to install and manage. Those security solutions should consolidate all the customers' security needs into a single management console. 'Point' solutions that don't integrate with each other are becoming less popular in favor of broader, more complete solutions."

That's a good approach, but how can VARs learn the skills needed to provide security services at a higher level such as UTM (unified threat management)? "It requires a level of investment," explains Julie Parrish, VP of the Symantec global channel office. "Our successful security partners have made an investment in their security practice or their security specialty. The investment involves time, commitment, and money." Parrish says VARs should not fear the security market. "They should move quickly to be a part of this opportunity. Markets such as storage and networking provide excellent cross-selling opportunities for security."

Build Your Security Practice On A Consultative Model
Another way for VARs to succeed is by basing their security services on a consultative model. "The consultative business model is key," says Thierry Benchetrit, director of channel sales for North America, ESET, LLC. "VARs that focus on a consultative model when selling to SMBs are likely to find a lucrative market. The products provide initial revenue, and the services can provide a recurring revenue stream." The consultative model that Benchetrit recommends can also lead to VARs achieving trusted advisor status.

What exactly does a consultative model consist of? For starters, VARs should incorporate some kind of security threat assessment for their customers. The assessment can be as simple as a one-page report showing the customer the largest security holes in its network. For instance, maybe the customer has antivirus software but has no spam or malware protection in place. Encourage your customer to ask why spam is a security risk. Then respond with, "In the last six months, one out of every 147 spam messages blocked contained malicious code." That will undoubtedly start a discussion and set you on your way to becoming a trusted advisor.

At the very least, VARs should be able to accurately explain security vulnerabilities to their customers. Where do you learn about those threats? Most security vendors have in-depth information on their Web sites to help you. For instance, browse to the Symantec Web site (www.symantec.com/enterprise/security_response) and read the Internet Security Threat Report mentioned earlier in this story. Learn some of those stats so that you can explain them and what they mean to your SMB customers. But, don't stop there. In order for any network security plan to be successful, it needs to be ongoing. That means you must drive the security plan for the customer by scheduling security health checkups. Tell your customers about attacks that you have helped them prevent. Work with your customers actively to promote good security habits such as changing passwords and updating virus definitions. By becoming an extension of their IT staffs, you will be an indispensable resource and can charge for each of those services.

Offer SaaS Managed Security Services
For VARs who want to get into security but may not have the resources available, there is another option. Many security software providers are now offering an alternative to traditional software-based security solutions. Software as a service (SaaS) is a new delivery model where customers pay to use the software — not to own the software. In the SaaS scenario, a software provider has the responsibility to host the software application and provide a customer interface to the application. A popular example of a successful SaaS implementation is Salesforce.com, a CRM (customer relationship management) software provider that delivers its software via the Web. Customers pay a monthly license fee to use the software and to store their customer information at the Salesforce.com data center.

The same model is now becoming increasingly popular for Internet security applications — and why not? — since the Internet is the source of the malware in the first place. By reselling SaaS products, VARs are able to generate a recurring monthly revenue stream while not incurring the costs of building NOCs (network operations centers) to host their security applications. The SaaS model is also increasing in popularity with SMB customers because of the hands-off nature of the service and the low cost.

When you decide it's time to go a step further, perhaps you can consider offering your own managed security services. Some VARs such as Prevalent Networks (see the February 2007 issue of Business Solutions) have taken the SaaS model to the next level, building a NOC and offering its own branded managed service called BCOD (business continuity on demand). VARs might consider offering those types of services as the next step in building a complete managed services practice.

"VARs make mistakes when they don't think thoroughly or broadly enough about the security challenges facing their customers," concludes McAfee's Rodenbaugh. "Often VARs will help customers successfully deploy basic malware solutions, but they overlook a long list of other challenges such as spam, Web content filtering, and end point security." There is no 'one solution fits all' when it comes to Internet security. Don't rush to judgment when recommending a solution. Listen to your customers, and recommend a solution that fits their requirements. No matter which security sales model VARs choose, it's important to remember that Internet security is just as important to SMBs as it is to enterprise customers.