Masterclass: Selling the security update message

Simon Meredith chaired the latest debate on opportunities in the security marketplace.

Security has moved on from antivirus and firewall products, and hackers are becoming more sophisticated. For most companies this means that security is only as good as their last updates and reviews.

In the second Security Masterclass debate, run by vnunet.com's sister title Computer Reseller News, we examined the growing opportunities for resellers in developing policies and long-term security strategies.

MEET THE PANEL

Ian Morris director at equIP
Paul Judd sales director at Netwise
Richard Hollis security consultant at Orthus
Matt Percival sales manager of northern Europe at Top Layer Networks
Sandrijn Stead director at Addictivity
Dan Harris sales director at Security Partnerships
Nick Peaster business development manager at Citadel
Simon Meredith chairman of the Masterclass

Do end-users see the constant need to update security systems as a licence to print money for the supplier?

Morris: Most recognise now that their policy is only as good as their last implementation and subscribe to the antivirus updates. But hackers have moved on, and more appliances and a better understanding are necessary. Resellers need to introduce those technologies to the corporate customers.

Hollis: Clients are now a lot more sophisticated and they see products as a piece of the solution but not the solution itself. We are starting to hear about 'holistic' security. They are starting to realise that security is a process, not a product; it's a journey, not a destination. You get there by looking at the threat on a daily basis.

Percival: You have to take the customer on a journey of self-discovery. They need to evaluate their problem and you need to advise and understand that problem and how they marry that explicit need to a product or a service.

Morris: Most organisations recognise that they have potential risks, but most of them don't have processes that allow them to identify those threats. You have to start in a 'discovery' phase and identify where the threats are, what the potential risk is and then how you go about solving it.

Stead: There is still a place for selling anti-virus technology to customers. They are starting to see that if you are a true value-added reseller or systems integrator you can help them and probably save them money.

Judd: Most of our clients know that they don't understand all the risks and welcome us to the table. Yes, there may be a product at the end of the day but it's a product of our knowledge.

But will all customers accept ongoing charges for security services?

Morris: It's the resellers' job to inform. Most customers recognise that there is going to be some chargeable cost, but if you are not educating the customer about the risks there is no way you are going to see the benefits. It is up to the customer to decide how big the risk is, and whether it is worth the cost to stop it.

Harris: You need to educate customers because security can be seen as a disabler to business. Security does not need to stop things such as wireless networks happening; it enhances the protection of the business. But sometimes you are pushing snowballs uphill when they have got a budget signed off for a project but then discover that there is an extra cost to secure it.

Morris: We need to look at security in a much more fundamental way; in the same way as an application. You don't wait for five years and then throw the old one out and start again. People buy the application for what they want it to do now, and then constantly tweak it to meet their requirements. It is an evolving process.

Percival: If a reseller has a better understanding of the business drivers behind the purchase of security, they will be able to decide what they need to offer. Products have been badly sold. Look at intrusion detection systems; did anyone bother to discover why you need it? Does it help you to protect from attacks? There is a big red herring there.

Hollis: A quality conversation with the client is fundamental. What are they trying to protect and why? Get them to focus on the business driver and you hold the mirror up. If they can't do that, you are not going to get there.

Harris: The consultative approach is important, but take people who bought an appliance four years ago. How many will have revisited it? It is not a static protocol. The investment you make at one point in time, for whatever reason, if that is left and not touched the investment will be lost. You have to protect that investment by reviewing it and keeping it up to date.

Stead: And a lot of people refuse to buy subscriptions. They don't understand why they need them.

Judd: Buying a firewall and leaving it for four years is not necessarily a bad thing, depending on the organisation and the value of the data you are protecting. It depends on the value of the information and the cost of an intrusion. A financial organisation, for example, will be prepared to pay more to secure information and review security.

Stead: It does depend who you are. Most people need antivirus, then there are people who think they are at risk and you need a totally different set of solutions.

Peaster: It also depends how you sell. Some customers think they only need a £125 firewall, others have made a £250,000 investment and have still been hacked because they don't have the skills in-house to manage the settings.

Hollis: Computer security is an oxymoron. The only secure computer is the box on the high street. As soon as you plug it in the game begins. If you want to play the game we can show you how to identify, minimise and manage through products and processes. There is no such thing as 'computer security', but we don't, as an industry, make those kinds of statements. We are too prone to absolutes and saying: "If you buy this I can make you secure." And we offer them very few ways of measuring the success of their security.

Percival: You have to deliver the bad news up front. It's about saying: "If you are looking to secure the network 100 per cent, we can't do that. But if you are looking to go part of the way there we can help you through those processes which will get you to an end goal." And you need to deliver that from the outset.

Harris: The investment should not be where it was five years ago. It should be on emerging threats and on the holes that are being left open.

Morris: Resellers need to understand the technologies, recognise what is out there and put it to their customers. They should be prepared to listen. We have been staggered when we have put intrusion detection systems into corporate networks - knowing what we believe to be the risks - and have seen what has been going on. But we were nowhere near as staggered as (our customers) were. People are getting a couple of million port scans per month. They are getting attempted hacks via email and HTTP protocols weekly. They can see it happening before their eyes. Anyone who does not see that as a threat, that's fine. If that's not your business, we don't have a problem.

Peaster: We are always going to be in a 'cops and robbers' scenario. You can't do it any other way. You can't look into the future and if you police certain areas, the robbers will just go somewhere else. If they see the technology they will be forced down another route.

What is a realistic amount to spend on security? And won't spending on ongoing security start to eat into the annual IT budget? That might stop customers from buying other products and services.

Harris: We started Security Partnerships (part of Reading reseller IT Partnerships) four years ago and it took us three or four wins to get in there. We certainly made mistakes in the early days and could not deliver the quality we deliver now. But it proved to us there was a market out there. The problem we found was that one day we were selling 500 PCs to a customer, the next we were selling them a £500,000 security solution. There was a credibility issue. We had to re-brand the security business and four years down the line we are representing 25 per cent of the turnover of the hardware business and have taken margins from four or five per cent to 30 per cent.

Morris: But you don't have to go there in one hit. You can evolve into it and go out today with technologies that the customer doesn't even recognise exists. If you do that, they will work it out for themselves. But people don't buy things that they don't know exist.

So what is the first step?

Morris: Intrusion prevention is one of the strongest markets at the moment. If any reseller talks to anyone who has implemented intrusion detection and talks about the pitfalls and shows them the next generation, it is a very easy stepping stone.

Judd: Intrusion detection is of value, but you find me an operations man that has to live with it and is happy with his lot. It is an endless, thankless task. You need to move on to newer technologies that reduce the amount of information.

Harris: One thing I've found useful is offering to assess how good the security is and look at the vulnerabilities and prioritising them so that they can get a risk mitigation plan in place. That can open the door for you to sell services and build credibility.

Stead: With some of the software products you can let people dip their toe in the water. If someone is looking at intrusion detection you can give them Snort - you can get that free - or give them a free evaluation of Tripwire. It's different but it gives them an idea of what you are going to get back.

What about the problem of dealing with internal threats?

Hollis: Seven out of 10 people arrested for cyber-crime are employees of the company. In my experience it's more like 90 per cent internal. Interior security is where people and products need to focus. We give Snort free to a client and come back in a week and show them how many people are trying to abuse the system internally. That changes everything. Then we put it on the web server and show them the difference, and I tell you, that's a bad thing to deliver to the chief executive of a company. It brings us back to what are you trying to protect and what are you trying to protect it from?

Peaster: That's where, as a reseller, you make the difference. Otherwise you are just shifting tin, just shifting appliances. I have been to customers who say: "Oh security, I've got that sorted and done," or they will have had someone in who recommended putting in X, Y and Z. "What do you recommend?" But it is not that cut and dried, and nor should it be.

Percival: The question then should be: "Why do you think they recommended those products and how do they meet your needs?"

Harris: Selling the perimeter stuff is easy but that is not where the risk is.

Morris: There is some technology catch-up to be done before the internal stuff can be done at the same speed as the external stuff. You don't get routers running at the same speed as switches. Now we are starting to do this at any speed on a single network.

So right now, where do security resellers make their money?

Judd: Most of our revenues come from crafting a solution, the professional services, consultancy, design and the equipment for that solution.

Harris: There is definitely more money to be made in the capital, up-front costs. But four years ago I approached it as: sell a firewall, walk away. I got it slightly wrong. We missed a gap: to go back and review it. And we used to sub-contract auditing work to third parties. It's all in-house now. We are upgrading customers to support and bringing that in-house. Everything I am trying to do is geared towards getting net recurring revenue, and I want to increase that beyond the 15 per cent it is now.

Morris: That is fundamental, but a lot of corporate organisations will not take the security consultancy and the hardware from the same organisation.

Harris: Absolutely. It's a two-edged sword that works to our advantage. If we go in there and sell appliances, great, we do it. If we lose on appliances we pitch in the consultancy. You can win both but it is not easy to do that in the corporate market. We have a different offering for different types of company. The more important the data is to them, the more often they want to review security. At the top end there is a need now for real-time reviewing.

Judd: But in financial institutions they are loath to outsource that type of service, because if there is bad news they would rather contain it. And they don't employ consultants singly; they will get a second and a third opinion.

Financial companies will spend on security, but what about SMEs?

Hollis: They are already sharing resources. We have started - by popular demand - a 'rent-a-cop' service where we give an SME a security director for the day who is shared among five other companies. That's all they need and that service has taken off for us. They pick them up on two and four years contracts. I think you are going to see more of this happening, just as people share firewalls and so on.

Stead: We have customers that are one-man bands and will back away when you say it's £1,200 for a day's installation. Sometimes the box is the right solution, but you have to accept that these are the guys who are going to be on the phone. They are high-maintenance but they are constant run-rate.

OK, they will buy the box, but what about the ongoing reviews?

Judd: Partner. Go to your distributor and they will pass the business through. Nobody has got enough resource to do everything and have all the skills. We will partner where we don't have the skills.

Harris: There is software that will provide monitoring services and can be downloaded and packaged as a reviewing service. It won't make you a huge amount of money but it is a good way to start breaking into the security market.

CONTACTS

Addictivity (0845) 108 0414
www.addictivity.com

Citadel (020) 7618 6418
www.citadel-group.co.uk

equIP (01256) 365 500
www.equiptechnology.com

Netwise Systems (01252) 377 366
www.netwise.co.uk

Orthus (020) 7470 8711
www.othus.com

Security Partnerships (0118) 902 7845
www.securitypartnerships.co.uk

Top Layer Networks (01483) 243 549
www.toplayer.com