How to sell - Protection money
With security now a factor in every area of IT the reseller is ideally placed to take a leading role in defending the end-user. Paul Bray writes the first of five CRN reports on this crucial market
A reseller ships an anti-virus package, but a month later the customer hasn't upgraded it and is infected by a worm. A VAR sells a new IT system, but the customer forgets to set up any passwords and its system gets hacked.
A system integrator installs a wireless LAN, but the customer doesn't realise it is insecure and loses sensitive data. A bug is discovered in an operating system sold by a VAR, but the customer doesn't know a patch is available and its systems are targeted by a denial-of-service attack.
Who is to blame? Legally, perhaps, it is the customer that runs its systems in a negligent way. But morally, many believe the fault is with the reseller, because it could have warned its client of the risks and sold it a solution.
"The industry at large, and the channel in particular, has an education job to do," says Kate Hembury, sales director at reseller WStore.
"Stressing the importance of buying security is just one part of the equation. We have to ensure customers understand the importance of getting regular anti-virus downloads and having security policies that they stick to."
This concept of reseller as nursemaid may be unfamiliar to many in the channel, especially if they do not regard themselves as security resellers.
But security is one of the key issues facing IT users, and virtually all resellers are, or should be, involved - not only for their customers' sanity, but for the reseller's own bottom line.
"Security is becoming more generic," says John Stewart, chief executive of managed service provider Signify. "It must be sold as part of the application or system, not as an add-on. So all resellers must become involved."
Many VARs are therefore beginning to offer security solutions. Neil Venus, security solutions director at networking vendor 3Com, identifies two reasons for this.
"First, security products, in particular firewall appliances, are becoming easier to install, support and sell," he says.
"Second, there's a trend for service-based security solutions, pushed down standard two-tier distributor/reseller channels and offering high margins, zero installation and support and a simple value proposition."
The reseller's involvement should begin before technology is mentioned.
"The biggest service opportunity for resellers is determining and implementing a client's security policy," says Ian Kilpatrick, chairman of security distributor Wick Hill. "Many companies buy protection without having identified the areas of their business that they most need to defend."
The process of educating the customer can continue indefinitely. Until recently, it was about overcoming basic ignorance.
But now, with viruses making it onto the news, most companies are aware of the threats but remain confused about the solution. Resellers can provide seminars and newsletters to keep customers informed.
Viruses and worms top the list of concerns. According to Symantec's Internet Security Threat Report, 10 to 15 new viruses are discovered every day, with about 250 active at any one time.
It is not just the number of viruses but their rapid development and dissemination that makes them so dangerous. MyDoom was spotted in several variants within the first 24 hours.
The other 'classic' security threat, hacking, is also evolving in alarming ways. Some organisations virtually hand hackers their front door keys by failing to implement proper security policies (leaving passwords unchanged for years or failing to implement even basic security on wireless LANs, for example).
But hackers are increasingly targeting known weak points in specific operating systems and networking products; as soon as a new chink in the armour is discovered, word spreads and new threats appear within hours.
Perhaps the most worrying trend - much increased over the past six months, Symantec says - is the blended threat, such as MyDoom or Sobig, which combines the worst of virus, spam and hacking behaviour to maximise the chance of spreading its disruptive payload through an organisation or network.
Traditional defences, such as never opening unverified email attachments, may no longer be enough.
Indeed, the traditional approach to security - stick a big fence round your compound, station guards at the gates, issue passwords to your people, and send out for replacements when you realise something big is going on - is becoming as outdated as a platoon of Tommies with bolt-action rifles and rolls of barbed wire.
These foot soldiers and basic defences should still form the foundation of any organisation's IT security. But to withstand modern threats, they must be backed up by special forces and the latest technology.
Organisations could easily call in the Royal Engineers to patch the holes in their defences, if only they realised.
"The most effective worms and mass hacking events of the past year have been related to security holes that have been publicised months in advance," says Dave Mullender, technical director at ISP altoHiway.
"Most modern operating systems and applications provide methods for notification of security holes, installing patches automatically and alerting operators to the existence of patches that need applying. But in a busy environment security fixes are often implemented after the horse has bolted."
According to Symantec, 2,636 new vulnerabilities were discovered during 2003 - 50 per week. That's a lot of patches to manage manually, so security specialists are teaming up with patch management vendors. (Symantec recently bought OnTechnology for its inventory and patch management/distribution software.)
Patches take care of known vulnerabilities, but when a threat strikes out of the blue firms need a rapid-reaction force, in the form of automatic updates.
"These are commonplace in anti-virus and increasingly in firewalls, where companies such as WatchGuard provide both threat alerts and automated updates, enabling firms to be current in their defences without devoting vast resources to it," says Kilpatrick.
Automation means less stress for resellers, but they still need to educate customers to take advantage. "We advise users to automate updates," says David Stanley, general manager at anti-virus/spam vendor Sophos.
"But a Sophos survey revealed 42 per cent of SMEs manually update their protection less than once a week, even though some viruses have the potential to spread around the world in minutes."
When an attack occurs, speed is of the essence, so companies need products that are intelligent enough to know that an attack may be happening and react off their own bat.
"An example is Check Point's InterSpect product, which protects against worms and automatically quarantines compromised devices," says David Ellis, director of e-security at specialist distributor Unipalm.
"Another is ISS's Proventia G Series intrusion-prevention system (IPS). If an attack is recognised the connection is immediately broken."
IPSs from vendors such as Prevx and Finjan go further, making commando-like pre-emptive strikes on previously unsuspected threats.
"Host-based IPSs can protect against threats not covered by traditional firewalls and anti-virus products, and the new wave of non-signature-based IPSs can protect against 'zero-day' attacks, which have never been seen before," says Nick Ray, chief executive of Prevx.
The growing number of threats and the increasing amount of hardware and software deployed to meet them can make life impossible for an firm's security staff.
"With a number of separate point security products such as firewalls, IPSs and anti-virus, administrators are bombarded with information to the extent that they sometimes turn the devices off," says Ellis.
"Each device on the network may well flag up the same incident, and often this information is predominantly false negatives or false positives, so key alerts can get lost in the 'noise'.
Security event monitoring products from vendors such as GuardedNet and Symantec give a number of benefits, from cost reduction and quicker reaction to legislative compliance."
All-in-one early warning systems, such as Symantec's DeepSight, can reduce the overload. "Early warning systems include notification of vulnerabilities, countermeasures, alerts about attacks under way and the issuing of patches," says Kevin Chapman, channel sales director at Symantec.
"Firms can integrate vulnerability and malicious code alerts into their existing security processes and remediation systems. If they lack internal resources, it can be managed by a trusted third party."
The growth of blended threats has boosted interest in blended systems that combine anti-virus, content filtering, intrusion detection/prevention and more in a single product.
Vendors of integrated solutions, such as SonicWall, 3Com, ServGate, intY and WatchGuard, claim their products are easier and cheaper to run than security from multiple vendors.
Cost reduction is a major issue, but the cost of not doing security can be higher than the cost of doing it. Software giant Computer Associates has even developed a 'return on negligence' model, a kind of devil's return on investment for firms that do not invest adequately in security.
One way to keep a lid on costs and management headaches, and ease the pain of coping with multivendor systems, is to outsource security to a managed service provider (MSP) - the IT mercenaries, to continue the military analogy.
"The opportunity for resellers is to become more like security consultants, monitoring customers' traffic and configuring patches and equipment remotely from an off-site console," says Paul Thackeray, UK managing director of SonicWall.
For resellers unable to act as MSPs, there are plenty of distributors and vendors eager to do it for them. "A managed security service can operate on the vendor's remote servers," says Mark Herbert, managing director of intY.
"There's no need for the reseller to install software, no customer credit problems, and the burden of tech support rests with the MSP. Why shift boxes when you can sell licences?"
If the current trend continues, the role of the security reseller could change.
"I see resellers developing from systems integrators, selling a bunch of boxes they plug together, to being 'service integrators', selling managed-service-based solutions, and involved in the integration and ongoing delivery of those services," says Stewart.
SMEs, with their lack of in-house IT expertise and aversion to capital expenditure, are an ideal market for managed services, and the increasing need for even small businesses to take IT security seriously is broadening the market for resellers.
"Now that security solutions are affordable for SMEs, more resellers are getting involved in selling security," says Ellis.
"Experienced security specialists have generally continued to focus on corporate accounts, while resellers with SME relationships have bundled security solutions along with their accounting software, DSL connectivity, PC networks and so on."
The popularity of always-on connections such as broadband is making SMEs, remote workers and consumers vulnerable to the threats that corporate networks have faced for years. Resellers have a responsibility to educate customers about the risks.
Resellers looking to dip their toes in the security market should begin by getting at least one sales and one technical member of staff up to speed on the subject, says Simon Hill, director of UK distribution at Azlan.
One approach is to exploit an existing niche. "If you're already selling Cisco solutions, for example, increasing your level of knowledge on how security is deployed on Cisco platforms will help you to add considerable value," says Hill.
Get the focus right and the rewards can be high. Training, consultancy, vulnerability testing, policy advice and so on can add a lot of value.
"E-policy creation and consultancy by the reseller can easily provide margins of 80 per cent," says Herbert.
Commoditisation has hit security product margins, as in other fields of IT. However, Jono Clarke-Storey, channel manager at security software vendor F-Secure, says: "It's true that individual products, such as firewalls or small numbers of anti-virus software licences, are commoditised and low-margin.
"But customers typically want a true solution, and integrating the elements is where the value lies. Security is all about managing risks, and helping the customer understand those risks is where the margin lies for VARs."