Q&A: Can Hosted Security Grow Your Business?

As the popularity of hosted, cloud-based solutions for everything from security to storage continues to grow, VARs and managed security services providers (MSSPs) need to consider the best way to add hosted security solutions to their portfolio as well as how to present that new option to both existing and potential customers. Business Solutions sat down with four hosted security vendors and asked their advice on how VARs can tackle those two challenges. Participating in this roundtable discussion are: Kendra Krause, VP of channel sales for Fortinet; Scott Barlow, VP of sales and product management for Reflexion Networks; Scott Cutler, COO of AppRiver; and Angelo Comazzetto, Astaro Security Gateway product manager.

How do you differentiate between managed security services and hosted security solutions?
Angelo Comazzetto, Astaro Security Gateway product manager: For us, the difference between hosted security and managed security services is somewhat subtle. Both methods consist of partners purchasing a product that they then resell as an offsite solution to an end user. With hosted security, the solution creates a system where our partners can offer an off-site security product where the end user handles access, configuration, and freedom of use. With managed security services, the solution is completely managed and supported by the solutions provider.

Scott Cutler, COO of AppRiver: We do differentiate: In general, MSSPs provide assistance by managing IT equipment that resides on the customer's premise — including routers, firewalls, servers, and PCs. Some of the newer services MSSPs provide are vulnerability and penetration testing. MSSPs have also begun to integrate hosted security solutions, which they view as another tool in their toolbox. The fundamental difference is that the hosted security solution resides in the cloud, not within the customer's environment.

Kendra Krause, VP of channels sales for Fortinet: We differentiate the two by defining managed security services as the management of device or series of devices that might or might not be present at the customer's location, often known as customer premise equipment (CPE). Hosted security services providers (HSSPs) deliver a service to the customer, but the physical equipment is not at the customer's location.

Are there particular verticals in which you see the most interest in hosted security? In managed security solutions?
Scott Barlow, VP of sales and product management for Reflexion Networks: Because of favorable economics, both of these delivery models have cross-industry, horizontal market appeal. MSSPs and HSSPs typically go to market with a "stack" of related services, such as email archiving, discovery, and recovery and business continuity, rather than just one single security product. The ability to mix and match those services can be appealing to specific verticals with particular needs.

For example, archiving, discovery, and recovery services may appeal to professional services firms that deal in high-value information and are subject to civil litigation, such as law, architecture, engineering, and construction firms and consultancies. Encryption may be more appealing to medical and financial services companies faced with protecting patient and consumer information.

Cutler: We see tremendous activity with any business that uses email, because email security solutions are the perfect fit for Software-as-a-Service (SaaS); those hosted solutions block all the garbage before it even enters an organization's network. But generally, security services fit well within vertical markets that have growing security regulations.

Do you think that managed security services has fully hit its stride as an accepted technology solution? How about hosted security? Explain why.

Krause: Fortinet has seen good acceptance of managed security services from our customers and partners, as many of our partners have been looking for many years to shift their business from a project-based sales approach to a model that has recurring revenue. Plus, during these difficult economic times, many end users do not have the resources to manage their own security practice. They are looking for hosted or managed options to save costs and internal resources and, oftentimes, to improve their security posture in the process. Our partners are taking advantage of that.

Barlow: I would say that we are still in the "early adopter" phase of market development. However, this varies by the nature of the offering. For instance, the many benefits of hosted email security have driven this solution into the mainstream. Adoption by solutions providers has been encouraged by integration with existing professional services automation (PSA) and remote monitoring and management (RMM) tools, and these trusted IT advisors have carried the solutions through to their clients. Hosted Web Security is earlier in its life cycle, and further end user education will be required to explain how it protects businesses from, in particular, the new Web 2.0 threats. However, the significant advantages of putting Web security in the cloud, such as providing protection to mobile and laptop users, will drive its broad penetration, too. Thinking longer term, the full vision and capabilities of managed and hosted services are still evolving, and the model of an "IT services utility" will become much more robust.

Comazzetto: While I think that hosted types of certain security services, especially email, are accepted now, the technology is still maturing both in application and in how it is sold to the customer in other areas, such as Web filtering or intrusion prevention systems (IPSs). Customers are always balancing the advantages of having their equipment on-site vs. in-house against having the peace of mind associated with having dedicated support. Things like Web filtering can be done off-site, but it can add latency, reduce granularity or choice in configuration options, and put key security decisions outside of the customer's direct control, which some companies are not willing to do. While the market is now creeping forward into acceptance regarding off-site hosted solutions (hosted security) and farming out their needs for a smaller management and subscription fee (MSSPs), the big hurdle is how to educate customers that their data is safe.

What should an MSP just entering the managed security solutions field look for when selecting vendor partners?
Krause: MSPs need to understand the entry costs and training requirements needed to enter the managed security space. There are many options available to partners from vendors, but the costs of entry can range rather significantly. MSPs also need to evaluate the technology solutions various vendors provide and the reporting they can provide to their customers, since validating the service they provide is key to contract renewals.

Cutler: First, I worry that there is too much stress on standards. Standards are great, and they will evolve as the technology evolves, but a VAR can determine fairly quickly how well a hosted security provider performs with just a little investment of time and a connection to the Internet. Search on the company to see what you can find. Call their support desk at odd hours — do they answer? How long have they been in business, and how many customers do they have? Ask to speak with their customers. Ask to speak with ex-customers. What is their customer retention rate since the company started? If a client wants or needs to cancel, are there financial penalties? From our viewpoint, there shouldn't be, since the hosted option should truly be on-demand. The facts will begin to emerge and help shed some light on the vendor's culture, products, and customer service methods.

What questions do channel partners typically have?
Cutler: VARs come in conditioned to ask about reliability — and they should ask about that. Other questions include: How is it built? How do I sign up customers? What provisioning and support tools are offered? What are the pricing models? How do I get out of it if customers don't like the service?

Comazzetto: Our partners are always interested in new ways to grow their businesses. Many partners ask about the time commitment and extra duties they can expect in the managed security space — the answer directly depends on the level of skill and requirements of the customers they sell to. We advise them that they should be ready to act as an on-demand IT department if selling such services. We also discuss the remedial items, such as making packet filter changes, chasing down email messages, setting up VPN (virtual private network) tunnels, etc. — the small things that customers will expect of them. The successful MSP ensures they are getting maximized revenue across these requests, either by a larger global fee or on-demand per-request pricing that is easier to swallow for the SMB. When the customer requires a high volume of basic requests, the partner may be nicely compensated, significantly increasing their own revenue.

If you don't feel your channel partners are engaged with managed or hosted security, why not? What are you doing to increase interest?
Krause: We are creating programs (such as an evaluation starter kit) to help partners gain some of the necessary technologies to become an MSSP or to test the services to decide how the technologies can best be leveraged in their business. We have seen partners consistently migrating to a managed services model. Those who aren't often don't understand all the options about how to start and make the right choice about both technology and vendor options. Barlow: Some channel partners have cold feet based on poor performance from prior vendors. In order to overcome this potential obstacle, we provide free internal use for most of our services. Once our partners have faith in us and our product, they are then ready to present that solution to their clients with confidence. To maximize and extend interest in our offerings, we try to continually add new, complementary up-sell services that allow our partners to increase their monthly services invoices.

What value propositions do you think MSPs need to highlight when it comes to managed or hosted security?
Barlow: There are many value propositions to any hosted service; the top five are:

• An insulating layer of security. Managed and hosted services block malicious attacks before reaching the corporate infrastructure and harden the infrastructure to prevent directory harvesting and denial of service attacks.
• Significant bandwidth savings. Malicious incoming connections are blocked in the cloud, saving both bandwidth and storage requirements.
• Reduced financial risk. As the volume of spam inexorably increases, subscription prices remain the same, avoiding the need to cluster or upgrade internal appliances or locally deployed software.
• Operating versus capital expenditure. Pay for what you use.
• Business and email continuity. Email spooling, for instance, queues inbound email during a local outage (server, power, Internet), and add-on services from hosted providers enable users to continue to send/receive email during the outage.

Cutler: At the highest level, hosted solutions add value to your client's organization by reducing complexity, risk, time-to-solution, and expensive hardware costs as it easily scales to a business' evolving demands. Many hosted solutions are "must haves" for nearly every organization. But these ubiquitous applications — like email and email security — require a great deal of effort and cost to operate while adding little to differentiate an organization's core value to its constituents. For example, compliance, patch management, upgrades, and employee training and retraining — all those constantly evolving demands — can be removed from the IT person's plate by outsourcing to a hosted solution.

Comazzetto: The biggest success comes from accurate marketing around "making your problems our problems." By giving a goal to a third party (i.e. keep our in-boxes clean of spam), the customer can pay an up-front, measured, and easily calculated cost, weigh it against their other factors of doing it themselves, and make an educated decision as to whether the model/proposal brings business value to them. VARs should also emphasize the lower up-front expenditure of purchasing a managed solution and the ability to easily scale the solution up or down if needed.

What objections should solutions providers be ready for — and how do they answer those objections?
Krause: Solutions providers need to be ready to discuss why a prospective customer should outsource security or management of security devices. Specifically in security services, there can be concerns about confidential information or access to sensitive parts of a network. MSPs need to handle these objections by reminding prospective customers that the MSP is an expert in their given field. Emphasize industry certifications, the investment in technologies to manage and monitor the services, the industry-leading technology vendors they work with, and the deliverables they will be providing back to the customer that clearly demonstrate the tangible benefits of buying security as a service.

Barlow: The most common objections that solutions providers receive are around price, changes in behavior, and security. First, with regard to pricing, we always recommend that solutions providers integrate hosted services in all-new managed services agreements, in order to avoid selling the customer 10 or 20 different solutions. Create line items for each and every service you provide. Second, hosted services can generally be implemented without any, or only minimal, changes in user behavior. While there will be changes in internal management and administration, these changes are generally received as very positive and a key decision driver.

Finally, security is improved because hosted services block malicious content before it reaches the corporate infrastructure, providing many advantages not only for security, but also from a cost savings point of view (bandwidth, storage, avoidance of hardware upgrades, etc.). From a sales point of view, if a customer has requested a particular security service, it is often because there has been pain. Leverage your local newspaper and magazines for stories on businesses in the same vertical that have faced loss, lawsuits, or other issues that you can proactively address for your customer.

Do you have advice for an MSP interested in offering managed or hosted security?
Krause: Partners truly need to understand the security pain points for customers and be knowledgeable about the technologies within a managed security model that can help alleviate those issues. The issues could be hardware or management costs that are too high and too complex, security posture that is not comprehensive enough, too many point solutions and related relationships to manage, etc. Being able to address these issues with a clearly defined MSP transition plan, while highlighting cost advantage, will be key to success. 

Barlow: Leverage the expertise of the hosted security provider; they work with solutions providers around the world every day. Ask them what works, what doesn't, and how other solution providers are successfully selling their services. Then, brand the product as much as you can to increase your name and brand recognition for viral marketing purposes, and attend their webinars to learn how to leverage your customers.

Cutler: Do it — that is really it. You can easily dip your toe in the hosted space and start to enjoy the recurring revenue model more easily than traditional product sales. With no inventory to purchase and a 30-day free trial, you simply turn it on and start making some money since, in many cases, the cloud-based solution outperforms other options.

Comazzetto: Make sure they adequately plan the solution to be able to deliver what they are selling. Have the redundancy, the infrastructure, and competitive pricing to make their offering more attractive than what the company currently has or spends themselves.