Security tends to be at the forefront of operations for most modern enterprises. For financial institutions (FIs) it is of utmost importance, and is often governed by the Financial Services Authority and various pieces of legislation, such as Basel II or Sarbanes-Oxley.
Breaches of security can result in more than just important data being stolen. There is loss of reputation and confidence to consider, which are two things most chief information officers (CIOs) cannot allow in the boardroom, let alone externally.
However, these same CIOs must also carefully consider which security solutions to buy to protect their data, while trying to align cost with benefits received before they achieve some return on investment (ROI).
The good news for VARs is that those in this fast-paced market will be spending more. Datamonitor estimates that the value of the enterprise IT security market will reach about $34.7bn within the next two years. In 2004 the market was worth $20.3bn, so this represents a compound annual growth rate of 14.4 per cent.
Andrew Kellett, senior research analyst at Butler Group, says: “Clearly security and information privacy remains paramount in this particular vertical, because any IT security breach will almost certainly prove to be both costly and embarrassing.”
Kellett believes that the upfront ROI calculators for security in the financial services sector may be forced to focus on the softer customer-related issues, rather than on the hard money saving self-service operational issues that drive customer use. The importance of strong access security suggests that demonstrating the overall benefits of security solutions such as customer authentication and identity management will be beneficial in driving the sales process.
“Keeping customer information secure is mission critical for all financial services organisations, because it determines the level of trust between bank and customer,” he says. “This is vital if banking institutions are going to continue to switch large numbers of customers to using cost-saving, online, self-service, account management facilities.”
For these reasons Kellett feels that key security sales drivers in this predominantly bank-to-customer-driven relationship include quick, effective, and easy-to-use provisioning services that are supported by secure access and authentication privileges, which is an area VARs should look to capitalise upon.
Incidents of fraud continue to rise, and internal security breaches always give cause for concern. Robert Grupe, enterprise solutions group manager at Kaspersky Labs, says preventing fraud for FIs involves securing information not only on their own networks, but also the end-to-end communications when servicing their customers via the internet and wireless telephony networks.
“The real challenges are how to authenticate customers properly, ensure communications cannot be intercepted by third parties, provide round-the-clock availability, and protect data from tampering,” he says.
Resellers should seize these business opportunities, while remembering that as well as selling security to the customer, they are selling it as part of an overall solution, he added.
However, Grupe is quick to point out that no single vendor has the ability to provide the breadth of technologies or consulting expertise required to deal with the complex and rapidly evolving area of electronic security.
“Just looking at traditional physical security solutions, there is the need for different speciality vendors that can provide expertise in particular areas,” he says.
“By optimising solutions from multiple vendors, organisations are able to provide higher levels of security protection than would be possible from a one-stop shop.”
That said, if FIs are looking for one thing, then it is proven, robust security solutions that have a track record in their sector. The removal of risk is essential to future business blueprints and these companies cannot afford to have reactive strikes against viruses. They prefer to seek assurance to evolving threats from the solutions they buy.
The need to be security conscious and protect confidentiality at all levels is imperative for a financial organisation. So the choice of secu-rity technology, vendor and reseller is invariably a tricky and strategic consideration.
Whereas historically the call was for a multi-vendor, best-of-breed environment in a given infrastructure, today’s cost-driven banking environments have led the finance houses with large heterogeneous infrastructures to look at ways to reduce management and operating costs.
According to Viv Francis, channel director, UK, Ireland and South Africa at Check Point, this means reducing the amount of vendors, which in turn means vendor selection is that much more stringent.
“The knock-on effect is that there are fewer internal skill sets to keep up,” she says. “By going with the mainstream they tend not to be quite so eclectic and costly.”
Ian Moyse, UK channel sales director at BlackSpider Technologies, says: “Choosing multiple vendors is not an issue, but all financial organisations will want to carry out a risk assessment and resellers can expect a lot of questions on this subject.
“Any reseller that wishes to get close to the security decision maker in FIs will be expected to demonstrate a strong record in security, and expected to be ISO17799 certified or be skilled in pentetration testing, for example.”
As FIs realise the ROI to be had by moving more and more of their processes online, they are discovering a new world of security challenges. Ideally, most financial services organisations would like a single vendor to handle as much of this as possible. But most realise it is impossible to build an entire IT infrastructure on this basis.
As a result, some are turning to appliance-based solutions that enable them to develop their defences to match the ever-evolving online threat, with many favouring technology that can be rolled out cross-department and company wide, regardless of geographical borders.
Soeren Bech, EMEA business director, Tumbleweed Communications, says: “As many banks are multi-national organisations, being able to implement a single solution internationally has obvious ROI benefits. Resellers that offer these solutions will find it easy to cash in.”
Bech adds that the key to selling security to the financial services industry is that it is all about visibility and control. A large multinational bank could be using a number of vendors, but its overriding goal is to manage it all centrally, through a single, easy-to-use interface.
“Resellers can often find themselves stuck dealing solely with an IT manager, but the trend looks like changing,” he says. “Security issues have the potential to make it right up to board level. A number of resellers are realising that the recent high-profile consumer data losses by organisations such as Citibank have made board-level executives sit up and take notice.”
For resellers to be successful at selling to financial institutions, they must be sure to hit the decision-maker, who is likely to be on the board, but also have a high level of credibility in terms of company size or brand stature. They should also have forged a reputation as an expert and specialist in security. The latter is likely to be the deal-breaker, so it is vitally important that VARs have evidence of this in their sell.
Having proven projects such as pentetration testing, vulnerability assessment and security policy development will certainly help. These can all hinder product-based suppliers.
Moyse says: “For a reseller to approach an FI with a new security proposition, they need to be able to illustrate a differentiation between what they and other resellers offer.”
Pete Smith, channel account manager at Fortinet UK, says: “It’s widely acknowledged that these FI organisations will look for best of breed. But they often fail to disclose any specific details as this would be like giving away the crown jewels.
“Financial organisations have fairly large budgets and the cost of a security solution is rarely an issue. The prime concern is functionality.”
According to Francis, we are seeing a move to more globally orientated systems integrator scenario, rather than the historical regional partnership engagements.
“However, access to the appropriate level is not an issue when you are offering enterprise-wide turnkey solutions,” Francis adds.
Bob Tarzey, service director at analyst Quocirca, agrees. He points out that banks work with system integrators to oversee major projects, which often require best-of-breed technology from specialist suppliers.
“More and more security is being built into infrastructure, and this will be good enough for some industries,” he says. “However, banks are more likely to go to the specialists, so for instance a bank looking at remote access for employees might decide it needs a locked down appliance-based SSL-VPN solution, rather than using Microsoft Internet Security and Acceleration server.”
With FIs seemingly inundated with propositions from a variety of vendors and service providers, resellers must be able to demonstrate how their offering can improve the security and reduce the organisational risk of a company, if they are to generate interest.
Some FIs even consider changing a security solution as a potential risk in itself. So identifying an area where the organisation may be currently vulnerable or cost-ineffective is a powerful entry point.
“Financial organisations cannot accept the risk of losing legitimate business email,” says Moyse.
“This could be through a current spam filtering solution incorrectly classifying business communications as spam, or their IT organisation not having a real-time view of all emails that come in or go out of an organisation. In both these cases there are powerful business reasons why a financial organisation would review their email security.”
Email security has also become increasingly important, particularly as a number of security scams in this sector have resulted in leaks coming from within organisations.
Smith says: “Content filtering and virus protection have important roles to play. It is vital that the solution can operate in high availability, and that it can provide bullet-proof backup capabilities.”
Historically, FIs placed their security inside the perimeter with their own staff managing the solution. But today, managed services are increasingly being accepted as the most effective method for delivering security. According to analyst Gartner: “Effective boundary security is more efficient and cost effective.”
Moyse says: “Some financial organisations still prefer to manage security themselves. But this is often for political reasons and the belief that ‘owning’ the security somehow makes them safer.”
While hackers still attempt to penetrate networks on a daily basis, FIs are wising up to the threat posed in-ternally, and they are implementing clear policies backed up by the tools to enforce and audit compliance of them.
Smith says: “Resellers can work with FIs to identify vendor solutions that offer the opportunity of strategic deployment, as well as providing comprehensive, first-line support for all solutions implemented.”
Recent research by PwC found that three out of four financial institutions believe compliance with laws and regulations is a very important driver for their security expenditure.
Eric Tocatlian, EMEA channel sales director at ActivIdentity, feels that successful security resellers will be those that quickly adapt their portfolio and competence to take these changes into account. While he believes that a strong relationship with the IT crowd is still absolutely critical, he says it may no longer be sufficient.
“The right approach for resellers is to build on their long-lasting interaction with IT departments to establish relationships with the other key stakeholders in the decision-making process, be they finance, human resources, legal or top management,” he says.
“Resellers that cannot adapt and focus on competing on prices to push more boxed products through the door are going down a self-destructive path, and they will eventually become extinct.”
According to Grupe, the best resellers will take time to understand the specific requirements of a customer before they try working to involve all of the relevant decision-makers and influences in any organisation. And the worst resellers will simply offer a catalogue of products at what they think are competitive prices, so that they can sell and move on to the next transaction with minimal involvement.
“Keeping up with the latest electronic security threats and understanding what can be done to minimise them is probably the biggest challenge,” Grupe says.
“Resellers that can distil that information and demonstrate to their customers how they can help to mitigate those security risks will be the ones that will be most valued by any customer.”
ActivIdentity (020) 7744 6248
BlackSpider (0118) 965 3700
Butler Group (01482) 586 149
Check Point (01223) 713 600
Fortinet (0870) 735 3666
Kaspersky Labs (0870) 011 3461
Network Box (0800) 107 6098
Quocirca (01753) 754 838
Tumbleweed Communications (0118) 934 7100
Infrastructure provider says international sales now make up 51 per cent of its revenue
Suzanne Chappell of TMS plans sailing venture after selling Oxfordshire-based TMS to acquisitive Chess
Withdrawal of credit insurance by some providers a 'reflection' of current challenge facing IT sector, according to MD Steve Soper
SMART's UK managing director joins Lenovo to boost SMB business