Cracking the potential of the security market
Security offers huge opportunities for resellers that make the effort to understand it. Computer Reseller News' Simon Meredith chaired a new-format panel discussion.
Network security is one of the hottest areas of the IT market. Yet in spite of all the publicity it receives, many users remain vulnerable to hackers, crackers, malicious damage and data theft. vnunet.com's sister title Computer Reseller News brought together a group of industry experts to discuss what could be done to address these problems.
THE PARTICIPANTS
Peter Crowcombe, manager EMEA marketing, Netscreen.
David Ellis, director e-security division, Unipalm.
Bernie Dodwell, sales and marketing director, Allasso.
Richard Hemmington, business developer, Ideal Hardware.
Paul Judd, sales director, Netwise Systems.
Lee Hiscott, technical director, Netwise Systems.
Lee Harrison, business development director, e92plus.
Ian Morris, director, equIP.
We all know that security is a big opportunity, but are resellers doing enough to exploit the market potential?
Morris: While some value-added resellers are encompassing the change, most continue to be happy to do what they have always done. I'd like them to open their eyes and at least sit down and talk about the opportunities instead of chasing low-margin business. I believe that their customers would like to see them bringing new ideas to the table.
Ellis: I'd agree, but it is up to the value-added distributor to educate [resellers] on the opportunities and open their eyes to the bigger picture. Firewall sales are not commoditised yet but they are becoming more mainstream and we should be telling them how they can bolt on other services to that sale.
Dodwell: The traditional network infrastructure Vars find it very difficult to adjust to selling a security solution. They are used to putting in cables and boxes and benchmarking performance. But security requires a different mindset and very few have made the leap into the idea of security as a solution. They think of security as antivirus on a box on a network, and that's it.
Judd: Very few resellers have actually taken the opportunity to move beyond the basic plumbing. Organisations like Netwise and a few others have grasped the nettle and made the changes they need to make. Maybe they were adding value in Layer 3 switching four years ago, but that has gone away and the value now lies to a great extent within the security aspects of the network.
Crowcombe: Security is becoming a core component of the network. You have had this alien technology landing in the middle of the network guys' space, and this is unusual.
The network industry makes leaps but they are usually predictable leaps, in speed and integrated functions. The key skills you need for security don't lie in the networking sphere. It is a lot more than antivirus, but some resellers still think of it in that way.
Hemmington: We see security as a massive opportunity. There are a lot of Vars out there who are sitting on the fence and are waiting to be pushed to get on board, by helping them build up their solutions and services. Other distributors, with due respect, don't have the reach we have.
Harrison: The key from a distribution point of view is flexibility: addressing needs and mapping resources to those people. We are seeing an increase in revenues from services through the partners, such as audits and regular health checks. There are extra consultancy opportunities for Vars willing to invest in developing their capabilities. Security is not a commodity; none of these products are out-of-the-box solutions and there is no silver-bullet solution.
Judd: There is also a very important and fundamental difference in that the people who handle security aren't necessarily the people that handle the networks. So your contact base at the client is constantly shifting and moving. As products like Netscreen's come along, some of the functions are moving over to the network. But predominantly, organisations have a separate security department, so it is a different contact base and a different methodology.
Crowcombe: I'd agree that's what we see at the top end of the market. Up to now it has been necessary because the solutions have been complex. Our challenge in the vendor community is to make those solutions integrate more seamlessly and, as we reach down into the mid-tier, we are not going to have those security specialists. It is going to be incumbent on the network guys. It is important that the channel steps up to that challenge.
Ellis: There are players who are trying to sell security as a box. That's not how you should sell security. The product should fit round a policy that's deduced from looking at risks in the organisation and understanding business processes. We have customers come to us who have been mis-sold products. It is down to distributors and vendors to educate resellers about how to sell security.
Morris: If you don't have a self-install firewall [referring to Netscreen], that's probably why your product is sold though specialist houses. We are a long way from security products becoming a broad-based distribution offering. We all try to reach down the channel but you also have to recognise when you are pushing water uphill. You can only do so much education. You can't make a non-self-install product that easily.
Hemmington: The security market is maturing and end users are going to be asking their resellers for solutions. We are not going to be able to educate the whole channel but we do see it as a fantastic opportunity and we have to get on board.
Don't we need simple, self-install products to increase market penetration?
Dodwell: Specific parts of the market will commoditise: Antivirus, for example, and URL filtering. With regard to resellers, we have had great difficulty in persuading the network integrators to take on security because they come at it from a network point of view and talk about price performance and product comparisons. That's irrelevant when it comes to security. It's about knowledge and understanding, and taking the customer's business issues and finding the technologies that address those issues. It is not about a faster box or a smaller box.
Crowcombe: I don't agree that speed is not an issue. As this technology goes core to the network it is going to have to perform at the sort of speeds that network people are used to.
Ellis: And the role of the value-added distributor is to glue all these components together, through services and scouring the market and providing a total solution. We are a long way off that being commoditised.
How much effort and investment do you have to make to become a security reseller?
Judd: We have made a massive investment in understanding the broader picture. Unless resellers step up to the mark, they are never going to be successful, even with the support of suppliers that add a lot of value. The opportunity is growing faster than we can grow our skill set and we use a lot of services from people like equIP to augment our own capability, but it is absolutely key that we have our own capability.
Hiscott: A security solution is not just a firewall or a product; it's a coherent approach to all the possible attacks and losses of information. Smaller end users can perhaps get that coherent approach. Larger enterprises will have separate departments dealing with all these different things. The reseller's job is to try to get a coherent solution for the customer even though they didn't know they wanted it.
Judd: With appliances like those developed by Netscreen we are finding opportunities to put firewalls where people could never previously afford them in large organisations. We have rolled out a 400-node network for a company where previously a separate firewall and remote management would have been needed and the implementation time and cost would have been considerable. Now a Netscreen 5 can be deployed out of the box; a £500 or £600 box that can be thrown away if it breaks.
Ellis: Organisations are now tiering security. Four years ago there would have been a firewall at the perimeter. Now they are segmenting different business units, protecting key application servers, putting firewalls in front of board member's workstations and using intrusion detection on different segments of the networks, with antivirus as well. This is an area we should focus on.
That's happening in the enterprise space, but what about waking up the rest of the market, and the small and medium-sized enterprises?
Morris: The whole thing is about education and it's our job to educate the resellers and for resellers to educate the market. Until you understand the vulnerability it is hard to sell the solution. Security will never end because the hackers will always find a way of breaking though.
Hemmington: Education is what we need. We have been selling antivirus for four years, and resellers are selling it but they are not selling the rest of the solution. End users are realising that they need to be secure.
Harrison: If you go back 12 months there were a lot of point products being sold, but now we are starting to see multiple applications on appliances that deal with a number of security issues.
Dodwell: Take that to its logical conclusion and eventually someone is going to come up with an appliance that does everything and is flexible enough to be used by a five-man company and a 500,000-man company. Where does that leave the security reseller? What value does it add? To succeed in this market, a reseller has to understand the risks that a business is facing.
Judd: Given enough time that may happen, and where is the reseller for security then? We will have to continue to evolve. There will always be areas to move into.
Crowcombe: It may not ever become a commodity. Unlike everything else in IT, where we are working against the laws of physics, with security you are working against people. As soon as you nail the last vulnerability, they will invent another. But compare the value of the services sold with security; it used to be 15 to 20 per cent with networks, but with security it is a lot higher and perhaps even more than the hardware. You have vulnerability assessment, then you have to map the processes, implement, and then go back and do security audits.
Harrison: It's not going to be just for the cream of the crop though. The people round this table are providing all of these services through the channel so the smaller reseller can compete, retain clients and get the incremental revenue.
Are customers prepared to go on paying for security?
Judd: It depends who your customers are. Our customers are mainly in finance, and yes they are because their information is their business. Others don't visit it more than once every one or two years because their risk assessment says the solution will make them secure enough for that period and they are happy with that.
Morris: The products scale, though. Resellers are often unwilling to look at which solution fits their customer base and listen and learn. I'd urge them to learn more about the things that are applicable to their market space.
Hemmington: End users want and need security, and resellers need to get serious about it and get involved.
Hiscott: The trouble is that the end user sometimes does not realise what he needs and has not set any budget for it. It's more like being a business analyst than a reseller because you have to do the whole business risk assessment.
Judd: If the client knows nothing it takes longer. There is a job to be done, but it is a very lucrative job.
Crowcombe: Resellers who migrate early and understand this space can take the opportunity. This technology has been dropped into the core of the network, and understanding it means that you have the best chance of winning business.
What made Netwise invest in security?
Judd: We felt the time was right. We partnered initially with Netscreen because we felt it was a quantum leap in what was achievable with firewalls, and that was clearly a growing sector. There was a need to evolve and move on; in 1994 we were the best RAS company in the world, but if we were still a RAS company now we would be out of business.
Crowcombe: Some resellers are taking a different approach. Instead of selling firewalls, they are leasing them and suddenly they have gone from a number-driven business to a return on investment-based business.
Hiscott: There are plenty of businesses out there that don't even have a firewall yet. We have come across companies that have NT servers directly attached to the internet.
Judd: Also, most of the companies we talk to are running with 65 per cent of the networking and security people that they had two years ago, and that is a massive opportunity for us. A lot of clients don't have the resources to run the network, and they certainly don't have the resources to understand security. Now is a very good time to add value.
Ellis: There is definitely an opportunity in the management of the devices. IT departments are being over-run to the point where they are turning these things off. That has to be a key area.
Crowcombe: For vendors I'd say that's the number one focus as well. There are no easy ways into the market but one of the best is virtual private networks [VPNs] because you can get payback within two months. Security is a hard sell in one sense because you are asking people to spend money they had not spent before in the hope that they will never have to use that technology. But with the VPN you take an existing network, reduce their bills by 50 per cent a month and add a level of security.
Judd: Intrusion detection is also a very good area and is starting to turn into tangible business. Appliances that are taking on more than one role are also very important. People are finding it difficult just to do what they are doing rather than having to do more. It's important that these technologies come together. A lot of customers are sitting there praying that it doesn't happen to them. Even more aren't praying because they don't know that it might.