Magazine Article | January 1, 2003

Network Security Pays Off

After investing in specialized network security employees and assessment tools, integrator Creative Business Concepts Inc. is expecting nearly $8 million in sales revenue this year from security-related projects.

Business Solutions, January 2003
Written by: Dan Schell
Integrator Secures Retailer's Network With 588 Firewall/VPN Appliances

Soon after adding SonicWALL (Sunnyvale, CA) Internet security products in 2001, integrator Creative Business Concepts Inc. (CBC) (Irvine, CA) landed a big account. The client was The Wet Seal, Inc. (Foothill Ranch, CA), a retailer of young women's clothes with 588 locations across the United States. "Some of the people at Wet Seal used to work at another retail customer of ours," explained J. Richard Shafer, CEO and president of CBC. "They called us because they wanted a solution for securely transmitting data between the retail stores and the corporate headquarters. Instead of an expensive frame-relay connection or a slow dial-up connection, they wanted a VPN [virtual private network] solution." The retailer also needed a solution that provided redundancy in case of a line failure, but at the same time, provided a secure mechanism for transmitting data.

CBC's solution included SonicWALL TELE3 SP secure firewall/VPN appliances installed at the retail stores and SonicWALL GX 250 VPN concentrators installed at Wet Seal's headquarters. The TELE3 SP has integrated and automated fail-over and fail-back technology capable of supporting both broadband and dial-up connections. In other words, if a failure occurs with the broadband connection, a built-in dial-up backup option allows the location to still securely transmit data. Once the broadband connection has been re-established, the TELE3 SP automatically reverts (fails back) to the broadband connection, thereby ensuring maximum uptime for the VPN. The VPN tunnels generated by the TELE3 SPs in the field terminate at the SonicWALL GX 250 VPN concentrators. "Using the SonicWALL products, Wet Seal received a secure, high-speed, fixed-cost solution without paying for multiple phone lines," Shafer explained.

The initial pilot took 40 days to complete. Wet Seal is currently in the process of deploying and managing the solution nationwide using the centralized management feature of the TELE3 SPs called the SonicWALL Global Management System (GMS).



Storage: A Natural Tie-In To Networking

Ironically, most VARs and integrators proclaiming they offer total solutions are not selling the one technology almost every customer needs - storage. Sure, most smaller companies may not need anything more than a hard drive and a tape backup, but what about the rest of those clients amassing data that requires more sophisticated storage devices? Are you just leaving that portion of a sale to another integrator or VAR?

In 1999, networking integrator Creative Business Concepts Inc. (CBC) (Irvine, CA) began offering mass storage equipment and services. "Backing up, storing, and securing mission-critical data is often handled inadequately and unreliably without an efficient plan," stated J. Richard Shafer, CBC CEO and president. "Therefore, we view storage technology as a natural addition to our network integration and security services." The most common storage products CBC sells include Network Appliance (Sunnyvale, CA) network attached storage, Hitachi Data Systems (Santa Clara, CA) storage area networks, CommVault Systems (Oceanport, NJ) backup software, and Quantum Corp. (Milpitas, CA) tape drives and libraries.

Shafer said 75% of CBC's customers use his company for storage system design, implementation, and support. In 2002, that storage business accounted for approximately $500,000 in sales revenue.

Imagine how Superman must have felt when he first encountered a piece of kryptonite. Suddenly all of his strength and super powers were sapped, leaving him vulnerable to an attack. As he lay writhing in pain, he probably wished someone would have informed him of this one weakness in advance.

Now imagine being able to hand your customers a list of network versions of kryptonite. As though you're using X-ray vision, you're able to uncover the security holes and offer ways to plug them. Now you're the hero. Networking integrator Creative Business Concepts Inc. (CBC) (Irvine, CA) plans to be that kind of hero and increase its sales revenue 60% this year by selling security assessments and the resulting remediation products and services.

Go Beyond Firewalls And Virus Software
To design and ultimately sell a network security assessment, CBC President J. Richard Shafer realized he needed a staff with security knowledge beyond the firewalls and virus software CBC had been selling for years. "I hired the sales manager and three engineers from a Fortune 500 security firm," Shafer explained. "These individuals are CSS 1 [Cisco Security Specialist] certified and have years of security experience." He didn't stop there, though. He began sending staff, sometimes for a week at a time, for additional security-related training courses. For instance, some employees are training to become a CISSP (certified information systems security professional), an industry certification from the International Information Systems Security Certifications Consortium, Inc. Additionally, two staff members are now RSA Security (Bedford, MA) certified security specialists. "In 2002, we spent $50,000 on training for six of our engineers," Shafer said. "We plan to continue that level of training this year for our remaining six engineers."

Much of the training CBC staff members receive pertains to the $100,000 worth of software tools the company uses to create its security assessments. Not surprisingly, Shafer is mum on the exact names of the tools CBC uses for these assessments.

Three Security Assessments Per Month
CBC's security assessments review topics such as a company's wireless network and its number of servers, domains, and locations. According to Steven Reese, CBC's VP of professional services, the assessment also includes a portion on social engineering. "Social engineering is determining how much access an anonymous person could gain to a company's network information," he explained. "It's a way of seeing what their current security looks like. You would be surprised how many companies will allow access to their computer rooms if you just look like you belong."

Shafer said the typical security assessment costs clients between $25,000 and $50,000 and takes nearly four weeks to compile. "The majority of our customers are overwhelmed with the amount of data we've collected in their assessments," he said. "So, even if they purchased the assessment tools we use, they would not have the expertise to analyze the immense amount of data we review." CBC completed six security assessments the first year (2002) it offered this service. Three of those assessments were for new customers. Shafer estimates the company will complete three assessments a month in 2003. He said that rapid growth will come from referrals from new security customers as well as the company's existing client base (CBC provides networking services to most of its clients).

Provide Policy And Procedures Expertise
CBC expects approximately $5 million to $7 million in sales revenue this year from the remediation portion of network security assessments. (Remediation is the process of fixing or repairing the network security holes an assessment has identified.) According to Reese, the most common products customers require (and ultimately purchase) at this stage include:

  • Event correlation software - designed to gather all of the data logs from the different devices (e.g. router, switch, server) on a network and alert the systems administrator about potential intrusions. In essence, this software creates a protocol that says, "this action is happening at X device, the network is probably being hacked. Send an alert to person Y."
  • A change management solution - includes a device and operating system that prevent change to a system without a secondary authentication.
  • Intrusion detection software - monitors a specific network device and identifies potential network threats.

In addition to hardware and software, the remediation process often includes services such as helping customers develop and revise security policies and procedures (P&Ps). This service is important since Shafer said the most common problem he sees with network security is neglect of written policies. "For example, we frequently find servers and workstations logged on and left unattended," he explained. Shafer said IT staffs tend to keep detailed security-related procedures in their heads instead of writing them down in manuals. If those staff members decide to take jobs elsewhere, that P&P info goes out the door with the employees. "CEOs, CFOs, CIOs, and CTOs like knowing we help build P&Ps and train their people to follow the guidelines outlined in those documents," Reese said. "After all, without P&Ps, they may get a lot of technology, but they're not sure about the value of how it all works or what the protocols are for future problems."

Partner With Vendors For Marketing
To spread the word about its new security assessments, CBC began hosting events such as a golf outing; a boat trip; and bi-monthly, half-day educational seminars. The latter, held at a university 6 miles from CBC's headquarters, are free to attendees. These seminars include speakers from network security vendors and specialists on topics such as HIPAA (Health Insurance Portability and Accountability Act) compliance. CBC created a mailing list of approximately 1,000 CIO, CTO, CEO, and CFO names for these events. Shafer said each seminar costs between $5,000 and $8,000 and vendor sponsors help defray the costs. However, the investment is paying off. At the first two seminars held last year there were an average of 50 attendees. CBC landed three assessments as a result of those seminars.

The boat trip was even more successful than the seminars. Similar to a dinner cruise, this event gave CBC and its vendor partners a captive audience for a few hours. One week after the boat docked, CBC closed on three security assessments. "We are driving heavy marketing initiatives right now because network security is today's hot issue," Shafer said.

To some companies, a security assessment may just reaffirm their networks are secure and the right P&Ps are in place. To other companies, a security assessment can be an eye-opener. In either case, the integrator or VAR walks away looking like the hero.