Securing business for life

The ‘scare tactic' approach to selling security does not work. Resellers should learn to target specific solutions at specific vertical markets. Simon Meredith discusses how in the final part of our five-part series

Ask anyone immersed in the sector what selling security is not about, and they will almost certainly answer ‘selling fear’. What it is and should be about, they argue, is selling benefits and business-enablement. But what you certainly should not do is sell the products and then leave the customer to fend for themselves: selling security is as much about convincing customers that you will continue to be there for the long term.

Richard Hales, UK and Ireland country manager at F-Secure, says: “Most security products perform the same function for the user, day after day. They work only when the subscription is live, because they have to be continually updated. With security, you’re selling a service rather than a point product.”

According to Ian Kilpatrick, chairman of distributor Wick Hill, it is essential that you sell benefits, not fear, uncertainty or doubt. Nor should you take the ‘pay the money now in case it costs you more in the future’ approach.

Specialist sales and marketing consultant, Market Clarity, has looked at how companies view security. Stephen Martin, director of Market Clarity, says understanding the perceptions that customers have is vital.

“The key issue we came across was that reality was much less important than fear,” he adds.

According to Martin, while companies tend to be shy about admitting breaches, the incidence of actual breaches is in fact very low. But people talk about security issues as if they were much higher. In other words, fear is playing a part and customers can easily convince themselves that it is a major threat, even if they know that is not the case. In a sense, security is selling itself now.

Lee Perkins, director at distributor Azlan, says: “You don’t have to ‘sell’ fear; it is there already, and the hype cycle that surrounds the whole security business will ensure that continues to be the case.”

Perkins is a firm believer in selling security as an integral part of the whole network infrastructure. “If you are a specialist or have a focus in any market sector, you need to have security as part of the whole solution,” he says. “It’s an integral part of every proposition, whether it’s best-of-breed products or built into a switch or an appliance.”

Selling security as part of the solution is one thing; making money out of it is quite another. As Martin points out, while there is a broad acceptance among users that they need security, they have also come to realise that, once the basics are in place, the threat is very much diminished. Security is becoming what Martin calls “a threshold market”.

For some organisations, if the potential impact is very damaging then, even if the probability of it actually happening is very low, it is worth taking action to prevent it. That is straightforward enough, but as the ratio of potential damage to probability falls, customers are enticed only if the price of really good security is very low. If you cross this threshold, products and services become much harder to sell. “Like any form of insurance policy, much of the benefit comes from it being very easy to buy and manage and not too expensive overall,” Martin says.

As a general rule, Martin adds, resellers ought to focus their efforts on the individual in an organisation that has the most to lose. “The key target is the internal IT manager,” he says. “They have so much to lose if something goes wrong and so little to gain from a marginal cost saving, that they will never pass up the chance to cover themselves.”

In most cases some security technology will already be in place. If there has been no serious problem, selling becomes much harder, unless you have something new to offer.

Martin adds: “They are unlikely to change because of the disruption. They would also have to admit that what they have now is not perfect. If VARs want to get people to switch, they have more chance if they can say that this is a new solution or approach that was not available when the customer first bought security.”

So while the fear is there already, there is a sensitivity over cost in the broader market and a real need to focus in on the specific needs of customer groups and individual customers. But needs and sensitivity to issues differ in different market sectors, and so does the level of opportunity.

According to Mik Stevens, market manager for security at Cisco UK and Ireland, the most lucrative sector for VARs is financial services.

“This is mostly because the nature of their business mandates robust security at every level,” he says.

Financial firms are also extremely concerned about compliance issues.

Grahame Smee, managing director at security distributor Equip, says: “Companies know that they have to follow the rules or face big problems, legal or otherwise. A good security offering is about prevention, cure and audit. Who did what is sometimes as important as what happened.”

Being able to analyse and audit security processes is just as important or even more important than understanding the technology here.

Phil Watts, managing director of SoftScan UK, says that the main driver for financial services is normally avoiding downtime. They may even be willing to sacrifice data speeds, up to a point, if it means that the information will be more secure, and that the risk of any attack being successful is significantly reduced.”

This means they will often implement more than one security solution for the same problem, which is why it can be such a profitable market for an understanding VAR. Email, for instance, will more than likely be fed through a hosted provider, using different vendor anti-virus technologies, then forwarded to an email security appliance before being allowed to enter into a network.

However, resellers need to be totally confident in their own ability to sell to finance, says Ian Bowles, vice-president of sales at Clearswift.

“Financial services companies often use IT as a competitive differentiator,” he says. “Therefore they need far more stringent security practices and technology in place to protect their consumers, as well as their brand reputation.”

But while finance promises more profit, the market with the most opportunities at the moment is the public sector, Stevens says.

“There are considerable issues here in having to provide online services to set targets,” he says. “It is therefore more straightforward to position solutions to the public sector, but don’t expect high margins.”

In the public sector, needs differ with every single local authority, health trust or school. For example, in education the priorities even vary between the different levels of the management structure, says Dave Abbot, product marketing director at Equiinet. It is hard work selling to schools, he says, but the opportunities are plentiful.

“A network manager at local authority level has specific needs that are different from those of an IT co-ordinator or head teacher,” Abbot says. “The spend on IT is still high, and government funding for initiatives such as ‘Laptops for Teachers’ have actually increased the risks to a school network from internal sources. But awareness of these risks and knowledge of security solutions is relatively low, so there is a definite potential for offering advice, support and solutions.”

Corporate companies and SMEs also have differing needs. Large firms often have most of the bases covered, notes Kilpatrick, so the main potential is for trade-ins and upgrades, or something more specific.

“They are often looking for more specialised solutions around intrusion prevention, spyware and so on,” he says. “They also often have compliance issues that need to be taken into account. They are much more aware of emerging threats. Mobile, remote and wireless are key areas for them.”

Enterprise customers will also want to know every detail of what you are putting forward, says Tim Ellsmore, managing director of specialist security firm 3ami. Work with them and you will win friends.

“Security officers are prepared to stand shoulder-to-shoulder with you in presenting the upside of the product to their internal clients, he says. “It is therefore imperative that they have the whole picture.” Selling to large firms can be time-consuming as well, he notes.

“Corporates would all like to think they were quick and agile, but they have their own constraints and corporate governance, which slows things down,” he adds.

Kilpatrick agrees. “The process of selling to corporates is more complex, because there might be someone responsible for security, someone for the network, someone responsible for purchasing, the IT manager and so on,” he says. “It is much more consultative and often involves a pilot process, and services are more important too.”

The sales cycle in the SME market is usually much shorter, and most companies want something quick and simple.

“SMEs want something that will last for years, that will expand with their business, and that doesn’t cost much,” Kilpatrick adds. “Typically, they have an identified need, or the reseller has helped identify problem areas, so sales cycles are shorter. They are often interested in multi-function appliances because of the lower unit cost and ease of management.”

Smaller firms are much more reliant on resellers, F-Secure’s Hales notes, because they do not have their own expertise.

“They would tend not to have the bandwidth to get into detail regarding the technology being put in place, they’ll just want to know that they have received good advice from their well-trusted supplier,” he says.

SMEs tend to prefer the all-in-one approach of appliances or combination packages, whereas larger organisations or those with more at stake tend to favour the best-of-breed approach because of the increased level of security that this provides, Hales adds.

“If malware has been engineered to bypass one of the security vendors at one level, having multiple vendors at different network layers can provide a barrier,” he says. “This, however, comes with additional management overhead.”

According to Keith Bird, man-aging director UK and northern Europe of SonicWall, small businesses are now also turning to managed security services, because these remove the hassle of managing and keeping systems up to date. In the first quarter of the firm’s financial year, SonicWall’s partners that sell this type of solution experienced 61 per cent sales growth – with most of the business coming from SMEs, Bird claims. The firm’s definition of an SME, however – companies with up to 1,000 seats – is more liberal than most. The uptake of such services is almost certainly from the higher end of this scale.

But what smaller businesses of any size will not accept is a lesser form of solution, says Jo Pettifer, head of channel marketing EMEA at RSA Security. “It’s often not a question of ‘What’s the cheapest?’ but of what represents value for money,” she says. “What SMEs do not want is vendors forcing dumbed-down versions down their throats.”

Whichever sector you target, selling security is never going to be easy. According to Ellsmore, in some ways it is the most difficult of IT solution sales. Resellers need to take a measured and benefit-led approach at all times, he says.

“The buyer will generally be looking for a long-term relationship whereby they buy into the product and the seller buys into the strategic needs of the buyer,” he says. “Pandas not only eat shoots and leaves; they also don’t sell software. The salesforce needs to be very stable and tuned into the goals of the organisation they are selling to.”

CONTACTS:

3ami (01257) 473 190

www.3ami.com

Azlan (01257) 060 3344

www.azlan.co.uk

BlackSpider Technologies (0118) 965 3700

www.blackspider.com

Cisco (020) 8825 1000

www.cisco.co.uk

Clearswift (0118) 903 8903

www.clearswift.co.uk

Datamonitor (020) 7675 7000