Magazine Article | October 9, 2009

Q&A: Should You Be Selling Security Now?

With security in the news, is it time for VARs to consider adding security products to their line cards regardless of their technology focus?
Business Solutions, October 2009
Written by: Gennifer Biggs
With awareness of network security heightened thanks to attention by the federal government in the form of both its cyber security reports and the inclusion of stimulus funds for increased security, many security VARs and managed security services providers (MSSPs) are enjoying solid returns on their security expertise. But, if you are a VAR working in almost any IT field — point of sale, content management, storage, or wireless — you can still take advantage of the growing market for security solutions.

Business Solutions sat down with five security vendors and asked their advice on how VARs in other technology spaces can successfully enter the burgeoning security market. Participating in this roundtable discussion are: Azi Cohen, VP of market development, security management, at CA; Don Meyer, senior product manager, security systems for Juniper Networks; Rees Johnson, GM of network defense for McAfee; Christian Renaud, CEO and president of Palisade Systems; and Randy Cochran, VP of North America channel at Symantec.

Let’s start with the growth opportunities you see in the security space.

Azi Cohen, CA: In the next two years, the security market will undergo three types of changes. First, the pressure to lower operational costs will continue to grow, and with that the demand for shared services, virtual operating environments, and managed services will grow. Second, vendors will add technologies to support the latest security needs at the enterprise level as well as in the virtual environment. And, perhaps most importantly, most organizations will seek more “business-oriented” security solutions that allow the alignment of customers’ business needs with security and compliance needs. These changes could present huge growth opportunities for solutions providers in the security market. These trends will open new opportunities for VARs and MSSPs to develop unique and compelling services, such as securing virtualized environments, securing the cloud, and a stronger blend and integration of data loss prevention (DLP) technologies with identity and access management technology.

Don Meyer, Juniper Networks: We’ve seen a lot of growth in verticals impacted by compliance — retail, healthcare, and finance. There are more teeth in the compliance regulations impacting those verticals, and those mandates require a fairly robust security stance. With cash (federal funding) being infused into those areas, we are seeing a lot of opportunity. The good news is that if VARs look at each of the security mandates, they will find each regulation calls for very similar things, what we would call security best practices. That means that while the veneer may change from industry to industry, the core security content remains the same. That makes for a good opportunity because VARs can apply core security knowledge across a broader customer base. We recommend starting off in one of these verticals and then translating that experience to other markets.

Rees Johnson, McAfee: One factor for a VAR to consider when just entering the security market is the size of customer they want to target. For example, the enterprise customer tends to look for the leaders in every security category because it has the resources and funds to buy those top products and to manage a set of several solutions with existing IT staff. That makes the mid-tier market an easier entry point for a VAR new to the security industry because, while the midmarket customers know they need security, they also want it simple, secure, and easy. That is where a VAR can step in and be competitive right off; they just need to offer the right security solution. Often a suite of products offered by a single vendor and managed through a single console provides the coverage and ease of use expected by that customer. That is also a simpler choice for a VAR just getting into security — and this market has strong, continuing opportunity.

How can a VAR just entering the security solutions field develop a portfolio of security products that addresses a wide array of customer needs?

Randy Cochran, Symantec: VARs need to take a holistic approach to protecting their customers’ information, whether they are new to the security game or existing security VARs looking to expand into other sectors of the security market. Information must be protected at every access point — whether it is within the company or at external locations. VARs should work with customers to identify and classify their most critical information and then start to develop security offerings that address that information. From there, they can build out a more complex security solution. But the first goal is to ensure consistent enforcement of security standards around each customer’s more critical information, wherever it is accessed or used.

Cohen: For VARs just entering into the security market, I suggest looking at your own existing IT expertise and linking your first set of security offerings to that. For example, if you are a managed email service provider, you should look at extending your security along the lines of a data loss prevention (DLP) solution. That solution not only secures data in motion, but also gives you an opportunity to extend your business with that client by protecting data at the end point and the data at rest on the network.

Christian Renaud, Palisade Systems: It is Product Management 101: Everything starts with the customer. You must be talking to your customer about their business needs and the threats they are facing because every network is as unique as a fingerprint. That means every security approach needs to be tailored — that is what you want to do because that is what makes you valuable. If you are having that dialogue with your customer and start to think — “Boy, this smells like DLP, and I don’t have a DLP solution” — that is your guidance right there. From there, take your engineers and explore. You need to find the vendors in that space and make the vendors convince you which product is the best fit for your customers. Then that vendor partner will gear you up, catch you up, and get you ready to offer that security solution. When you are new to a vendor’s solution, it shouldn’t be a two-legged sales call that you’re making, but rather a four-legged call with your vendor rep.

Johnson: You want to look for the greenfield product space where the adoption rate is only 20% to 50% and a lot of customers are still buying new products. For example, Web security and intrusion prevention systems (IPS) are hot; those are both markets growing at high speeds and are only at about 50% of their potential. On the other hand, the antivirus or firewall markets are already saturated, so that is not where you want to start.

How do you recommend VARs manage security installations, ensure multiple security solutions are not interfering with each other, and know that those products are doing what they were implemented to do?

Meyer: That is an interesting dilemma; it seems for every new security problem, we see a new startup that will solve that one problem. Beyond that, there is often no single security solution for most customers. That has led many vendors to develop management tools that not only allow VARs to set policies that, to some degree, automatically manage security solutions, but also allow manual overview from one console. When you think about security and applying security to an organization, it is simple: I want to allow this, not that; I want these people to have access, not these; I want this information separate from this other potentially harmful information. While some VARs tackle this problem by using vendors that offer a full suite of complementary security products, that is not always a valid solution. Perhaps the customer has preferences or the client’s needs eclipse the tools in that suite — either way, you still need to have products and solutions that interact. The best advice is to look at what you are trying to accomplish, filter down to specific products you need, and then look for products that offer either an open application programming interface (API) or use standard technology so that each will interface with other products you may need. Your vendors should be willing to work with you on those interfaces, and your management tool should also interact with all those products.

Cochran: I think the most important thing a solutions provider can do is get smart on the security solutions they’re recommending to customers and then utilize those as often as possible. I continually talk to our solutions providers about the importance of focus. If partners focus on becoming experts on a few key technologies from one or two key vendors, they will be in the best position to be trusted advisors to their customers. A point product approach isn’t going to get them there, and it is just that much more difficult to manage.

Explain why the economic stimulus plan and the new emphasis on cyber security by the federal government may/may not have an impact on the security industry.

Renaud: If you are not in security now, you are leaving money on the table, especially with the focus on security within the government’s stimulus package. Many of these security projects have been on the back burner for a while, but now there is a sense of urgency because they are either getting stimulus funds or there is stronger enforcement of existing regulatory issues. You want to be in front of those regulations, but even if you missed this first round, the stimulus money is ongoing. There are always laggards; ramp up your competency, and get your foot in the market.

Meyer: The government has heightened the awareness toward security, which is important since when we go through these economic downturns, we are all about reducing spend, and yet security is even more important during recessions. We see these rogue cyber crime organizations targeting specific organizations and then holding them “hostage” for money at the risk of losing their critical data. The bottom line is the underground economy is a billion-dollar business, and cyber criminals are not going away. Since the government is now asking us to look at security and offering up some funding, it becomes more vital. That conversation raises awareness and helps VARs educate their customers. If nothing else, it provides a high-profile reason to sit down with your customers and start a conversation about security.

Any advice for a) VARs looking to add security to their practice and b) existing security VARs and MSSPs?

Cohen: Vendors and VARs need to work together to collaborate and share information. This is how new ideas and offerings are created. VARs need to leverage existing expertise or hire the expertise if they want to expand into new markets. Extend tangentially. Security technologies are blending and standards are making this easier. Take advantage of it. Learn how to talk to the business side in the organizations. You’ll find more business people than IT people involved in the selection process because it is the CFO and the CEO who are tasked with making sure that business processes and compliance requirements are covered by security solutions.

Cochran: I think education is key. If a VAR is interested in adding security to its practice, getting smart on the technology is the first step. I’d suggest looking at the offerings that your vendors provide to support you as you work to address customers’ most pressing security issues, such as training programs. Many vendors also offer tools that assist VARs with mapping out their customers’ business challenges and then matching those IT needs with the right solutions. From there, you must understand the issues your customers face — whether they are industry-specific or general business issues — and then you’ll be in a better position to provide the right security solutions.

We recommend VARs start by doing a security assessment, a tool your vendor (if you selected well) will often provide to you. When the customer sees that security assessment report, you have the right opportunity to start selling a solution. Our partners have found DLP is a great “foot in the door” solution, mainly because it offers access to so many other solutions needed for a true secure network (antivirus, access control, etc.). VARs want to find that “foot in the door” solution that allows them to build a sense of urgency around one solution and then just walk down the trusted advisor path to others.