Take on the big boys - and win
Selling security to multinationals can be a challenge, especially for relatively small companies that need to make a big impression. However, there are subtle ways of getting through. Nick Booth explains how in the first of our five-part series
Big corporations usually have ruthless mechanisms in place to exterminate agents that have the temerity to enter their premises. There are several lines of defence that are designed to identify, subdue and fatally stifle any unwanted party that comes into contact with them.
For example, if a small company is foolish enough to be lured by the promise of carrying out a big project for one of the global giants, it will eventually discover, to its cost, that the honey pot was an illusion. By this
time though, it will have been fatally weakened and softened up by a series of time-consuming meetings with middle management, who turn out to not have any decision-making powers, despite all their initial promises. Starved of any income, the small agent eventually perishes, broken with
ruthless efficiency by the gears of a giant corporation. So the mega-corporations can effortlessly sweep away unwanted attempts at a sale, but can they defend themselves against a genuine threat? Why do pirates and hackers regularly breach their defences?
If all the reports in the popular press are true, corporations seem to be hopeless at dealing with these sorts of security threats. Logically, one would assume they would be desperate to speak to VARs that can provide solutions to the various problems in their organisation. But, as we have seen, big corporations do not like dealing with small outfits. Some might argue that corporates enjoy toying with these small companies, wasting their time with constant inconclusive meetings. But when it comes to signing any contracts, corporates always seem to be impressed by size.
This is why more corporations seem to seek a single supplier with a vast, wide-reaching product portfolio. Once, big corporates were interested in the best-of-breed product for each pain-point in the organisation. Now, they want the best of breadth, says David Ellis, director of e-security at distributor Unipalm.
“Corporates historically bought best-of-breed solutions from multiple vendor s because they wouldn’t forfeit functionality,” he says. “So the security market has always been pretty fragmented.”
The days where no single vendor can dominate are over. IT security is evolving to the point where a few big vendors will come to take control across the board.
“The likes of Symantec are acquiring a very strong portfolio in many areas, and other vendors such as Check Point have also widened their client base,” Ellis adds.
Security is evolving along exactly the same lines that networking did, says Bob Jones, chief executive of vendor Equiinet. It pioneered several networking manufacturers, such as Sonix, before moving into security as networking became a commodity business. Jones got into the IT industry only slightly later than Charles Babbage, and he has seen the same patterns repeating themselves.
“Big corporations always want to standardise on one vendor, because they want everything to be a lot simpler to manage,” he says.
Many IT vendors only achieve a complete body of products by buying the parts they do not make and then crudely cobbling them all together into a Frankenstein’s monster of a product portfolio. Claims of perfect interoperability in networking are usually bogus. It will be even worse in the security market because there is a far more diverse range of functions.
This will create a great opportunity for resellers and service providers, as long as they can market themselves properly, Jones says. It is not the purchasing of products that will be expensive, but rather the constant management of them.
“This is a great opportunity for VARs to provide an ongoing security, monitoring and auditing service for their clients away from the heat of the daily pressure in the corporate IT department,” Jones says.
But there are issues. Customer confidence is a particular problem. Just as you would not buy insurance from a company that you did not think would pay out if a problem occurred, corporates are unlikely to trust the monitoring of their security to a reseller they have never heard of or dealt with before.
It is tough selling to enterprises, warns Mike Pallot, Microsoft’s channel development manager for security. “Larger firms are more likely to feel security is under control, and that reducing costs is a more pressing concern,” he says.
Despite all the obvious dangers, the take-up of security solutions hasn’t been what it ought to be. The marketing approach is often too crude, says Phil Watts, managing director of Softscan.
“Although it’s long been considered bad form, VARs still try to sell security through fear, uncertainty and doubt,” he says. They would get a better audience with their target customer, Watts says, if they tried to understand the corporate business requirements. “Sell security as an enabler, not as a panacea,” he adds.
Some of the dire warnings that market-making security hawkers issue are not even relevant.
“Resellers need a better understanding of risk assessment and the dangers that individual customers face,” Watts says. “Without this, VARs are trying to sell a product that mitigates a non-existent risk for their customer. No matter how good the product is, no corporate is going to spend money when the risk to the business is minimal.”
Mike Small, director of security strategy at Computer Associates, says that corporate VARs should forget all the hype because as an end-user himself, he grew tired of being lectured to by people who knew nothing about how his company works.
“The technology angle has been over-hyped,” he says. “The real issue is people and processes. A large organisation can dramatically cut network bandwidth consumption and time-wasting incidents just by standardising the configuration of their PCs.”
Knowledge about a company’s business processes soon tells you about its needs and worries. One of the biggest pain-points from a business-process point of view is that IT systems are in constant need of updating.
Patch management is a key growth area now, according to Unipalm’s Ellis, because it takes away the pain of compliance. “We’re seeing a big move to deploy this technology,” he says. “This is where the likes of [vendor] Patchlink are going to be useful.”
Consolidation of multiple applications and hardware platforms does not have to be achieved by putting all your faith in one vendor. Providing a system to retrospectively rationalise all these systems under one management platform is where the likes of Crossbeam Systems, and its partners, are likely to succeed.
Neal Lillywhite, country manager at Crossbeam Systems, says that big corporates are too busy trying to cope with the pace of modern business and the demands of regulatory compliance to manage security themselves.
“The security solutions they choose must never hamper network performance,” he says. “They must protect against multiple threats while complying with the tough regulations that businesses face. It’s a very tall order, so a consolidated security solution that incorporates multiple best-of-breed security applications provides a huge advantage for large corporates.”
If there is any consolidation, it will be around management platforms, not single vendors. “It is important for large organisations to be able to pick different vendors for different components of their security protection, because each area has its own leading vendor,” Lillywhite adds. “But they must deploy and manage these applications centrally on one platform.”
Amar Rathore, sales manager at security vendor Countersnipe, says: “Despite many vendors’ claims, there is no one that could offer a perfect solution for every security problem.”
There are two sides to knowing the business processes of corporations. Knowing their production processes is obviously going to be helpful. This is a discipline everyone pays lip-service to, but few actually achieve.
The purchasing process is another mystery that security VARs have yet to solve. Big corporations are full of people who will have meetings with you, but who do not have any decision-making power, so they cannot sign off projects anyway.
There is a school of thought that these people are just lonely and so desperate for someone friendly to talk to that they will ask all kinds of tradesmen to visit them for a chat over tea and biscuits. That is undoubtedly true in some cases, but more often than not, corporations divide their staff up into two distinct camps. There are those who know what they are talking about. And there is the purchasing department.
Sometimes these two factions work in harmony, with the IT manager’s purchasing recommendations rubber stamped as a formality. And sometimes the opposite happens.
Never take the purchasing and procurement people too lightly, says Paul Bushen, sales consultant at ExaProtect. “Some orders have been completely changed at the ordering stage because an unsuitable product vendor offered a very low price, or bundled a solution with another product that is already in use,” he says.
“Large organisations may have committees to make decisions, and they may require a sponsor to present the case for a vendor. There can be an individual with a specific requirement and budget to match. A reseller has to get to know the organisation, how it works and who does what. It comes back to getting to know the client.”
Strategic decisions are led from the top, and are project based. They have more definite budgets that typically involve a long sales cycle. However, tactical reactionary solutions are often performed without a budget or on the cheap. These are difficult to predict, get right or make money from, but they can lead to quick wins, according to Bushen.
Quick wins? This is not really what most resellers would want. Isn’t the channel supposed to be all about long-term relationships and helping its partners to devise their IT strategy? Surely, if you want to supply quick wins, you might as well open up a shop.
Precisely, says Lewis Honour, security practice manager at super VAR Logicalis. “Logicalis did not grow by going for the quick wins,” he says. “And this reflects the predicament that resellers find themselves in.
“Companies are either system integrators or boutiques with in-depth expertise in a specific area. So security is either their sole reason for being in business or it is very much an afterthought. There are very few companies where security is considered from the word go and inherent in every design and sale,” he adds.
These two distinct sales models used to work, when customers bought security as an afterthought, often making their decisions on cost. The problem is that there is a lack of education among end-users, Honour says. Partly it is the channel’s fault because they have always gone in for the quick sale when installing any IT system. The security should go in at the beginning. But customers are hooked on getting the best price, so the security part of any system is always overlooked initially.
“It’s like buying a cheap car, then having to pay more later to have locks fitted,” says Honour.
Bob Tarzey, service director at research company Quocirca, gives a chilling final analysis for resellers.
“The market for point-products is declining because infrastructure products such as routers, operating systems and system management tools have security embedded in them,” he says.
Increasingly, the big infrastructure vendors are buying point-security vendors and embedding the technology in their offerings. Microsoft bought Frontbridge, Sybari, Giant
and Gecad. Cisco bought NetSift, Twingo and Protego, instantly rendering all the work of those companies’ resellers redundant.
There is hope if you can get into offering managed services. But are corporates going to buy these from ordinary resellers, or from the likes of Logicalis and Computacenter? It is a tough one to call. C
>> Further reading:
Users feel pain after latest Microsoft patch
CONTACTS:
Countersnipe (0870) 042 9480
Crossbeam Systems (0118) 925 4259
ExaProtect (0845) 0549 900
Logicalis (01753) 777 200
Microsoft (0870) 601 0100
Quocirca (01753) 855 794
Softscan (020) 7956 2029
Visual Nexus (01483) 549 470
Westcon UK (01753) 797 800