Profit From The Perfect Security Storm

Providing security products and services may seem intimidating to some VARs, but for the right VARs, it is a big opportunity — maybe the biggest ever. Does that sound bold? It’s not. We are living through the perfect security storm. When the creation of malware became a profit center for criminals, the clouds started rolling in, and businesses started stacking sand bags to protect their data. From another direction, the gale winds of compliance have forced businesses to provide high levels of security. From yet another direction came a low front caused by the fact that most businesses do not have a good understanding of, or the proper resources needed to build and maintain, IT security networks. As these fronts built momentum and collided, they produced the perfect security storm. Security threats are spiraling out of control and many businesses cannot stop them — that is, without help. Therein lies the opportunity for VARs.

Evaluate If Security Is A Good Fit For Your Company

The opportunity is right, but are you right for the opportunity? “It is important that VARs are technologically savvy, services-oriented, and have a thorough understanding of the existing and new security technologies,” says Scott Van Horne, director of channel sales for PatchLink, a company that produces patch management and security vulnerability software. “VARs will have to be able to design multilayered security programs for organizations’ specific IT challenges and environments,” adds Van Horne.

Larry Bridwell explains, “VARs that find success offering malware protection to customers are those that have an understanding of the entry points of a system that malware uses to attack, as well as the effects and damages such an attack can cause if successful.” Bridwell is the VP of communications for antimalware specialist GRISOFT. “It is also helpful for the VAR to be familiar with networking and internetworking protocols and general security,” he adds.

Rick Moy, VP of marketing for ESET, says, “Selling security requires expertise and broad experience. VARs should make sure their technical competency is appropriate for the specific security solutions they offer. Antivirus software has the highest customer churn rate of any IT product. On the sales side, resellers will need to reevaluate their offerings on a regular basis.” ESET is a company that provides antimalware software and protection against identity theft.

Eric Lewis is the director for North America for security software specialist BitDefender. “VARs that understand the Internet and enterprise collaboration needs are the best qualified to provide security solutions,” says Lewis. “Most threats are Internet-borne or the result of poor security policies for collaboration [the sharing of information online]. A VAR that understands the Internet and collaboration will be better suited to sell security solutions.”

Pursue Security Training And Certification

If I haven’t scared you away yet, you’ll probably want to know where to start with security. “VARs need more than just product training to provide security solutions,” explains Moy. “They need education on the fundamental problems which lead to insecurity.” Understanding the fundamental problems requires a comprehensive knowledge of how customers are exposed to threats — including social engineering tactics that are prevalent in many malware applications.

PatchLink’s Van Horne makes a specific recommendation. “Ideally, a CISSP [certified information systems security professional] on staff with the VAR will help build credibility and help the staff understand the importance of security, best practices, certification on the product, and ongoing education.” That is a point not to be ignored, considering the threat landscape changes every day.

“The level and types of security training would be dependent on the target customers of the VAR,” adds Bridwell. “If the VAR is selling malware protection primarily to the consumer market, there would be a minimal amount of training necessary. On the other hand, if selling into the SMB and/or enterprise markets, training would be required for the VAR.”

BitDefender’s Lewis adds, “VARs should pursue a number of security certifications. But they should also take advantage of free product training and certifications from vendors.” (Each of the vendors featured in this story offer comprehensive security training for VARs.)

Bundle And Layer Security Solutions

If you may be the right type of VAR to provide security solutions, the next logical step is to determine what to sell. “A VAR should seek a solution that can provide high quality, frequently updated/upgraded support for various operating systems,” explains GRISOFT’s Bridwell. “Those solutions should be able to be incorporated across all customer sizes [consumer to enterprise]. The vendor must provide knowledgeable, responsive, and expert technical support. The products should provide the end user — consumer or enterprise — with solutions that are dependable, easy to install and use, and have low overhead in memory and impact on the system or network.”

ESET’s Moy adds, “Best-of-breed layers of security will be important to protecting against threats. Beware of reactive signature technology used by traditional antivirus vendors. Look for truly advanced heuristics technology.” Heuristics adds a level of intelligence to antimalware. Instead of looking for specific viruses, heuristics-based software looks for characteristics in the code. Heuristic engines have the ability to detect unknown malicious codes based on known functionality.

“To provide simplified security solutions and implementations, VARs are becoming the go-to source for bundling the best products together on an as-needed basis for each IT environment,” says Van Horne. “VARs should consider building a service-focused practice around a portfolio of integrated, best-of-breed solutions that covers the entire vulnerability management life cycle and enables organizations to utilize their resources more wisely.” The vulnerability management solutions in VARs’ portfolios should include comprehensive internal vulnerability assessment, integration with external assessment, and penetration testing tools. But, remediation is the most critical component. “The ideal solution should accurately define patch precedence and interdependencies and confirm that a patch remains in place to avoid ‘patch drift,’” explains Van Horne. (Patch drift occurs when computers are not kept at the same patch level — they can ‘drift’ in different directions, causing problems.) “Solutions also need to include easy reporting across the organization as well as integration with emerging technologies, such as network access control. Finally, it is important that all solutions work across multiple platforms and application layers to address the evolving threat landscape.”

Lewis advises VARs to provide complete security suites instead of point products. “Security solutions should provide automatic updating and quick response time to new threats,” he says. “For antimalware, VARs should look for heuristics at the desktop and server levels. All products should support Windows-, Linux-, and FreeBSD-based servers.”

Communication And Awareness Are Keys To Success In Security

“VARs sometimes fail to provide the ‘correct’ solution for the customer,” explains Bridwell. “They provide an enterprise with a solution that is designed for the SMB or consumer market and is therefore not robust enough for the job. Conversely, VARs may sell a product that is designed for the enterprise to SOHOs [small office-home offices] or SMBs. The other common mistake is not stressing the importance of security and security awareness to customers, especially in the SOHO and SMB markets.  They depend on the VAR for that help.”

Van Horne adds, “The most common mistake that VARs make is a lack of understanding in the value of a particular solution and/or not committing to a best-of-breed solution. VARs need to focus on the target market and understand what their specific security needs are in order to meet customer demand.”

Lewis says, “VARs must avoid putting in security point products and assuming the customer is secure once the installation is complete.” IT security is not a commodity sell. The increase in market share by smaller companies is evidence of that. If you are a VAR with the skills to meet the challenge, why not take advantage of the perfect security storm?