How to sell Part 1 - On the security trail
There has never been a better time to sell security. The growth in ebusiness, web usage, email, remote access and mobile gadgetry means that the potential for security breaches has never been greater.
Our increasing reliance on new technologies means that no business can afford to get a reputation for slackness, and breaches of security have never been more damaging to a firm's bottom line.
It can happen to anyone. The Consumers' Association - so often the scourge of firms which endanger their customers' personal data - was left red-faced in June when the addresses and credit card details of up to 2700 of its customers became accessible via its Taxcalc website. This forced the Association to email customers and advise them to cancel their credit cards.
And it is not alone. A recent PricewaterhouseCoopers report estimated that in North America alone, businesses have lost 6800 man-years in 12 months because of e-security issues.
A survey of security breaches by the CSI/FBI estimated that more than $330m (£235m) was lost last year through fraud and data theft, a figure that could grow by nearly half this year. It is not surprising, then, that revenues from security products and services continue to climb steeply.
According to IDC, the European e-security market will exceed $4bn by 2004. Meanwhile, Infonetics Research estimates that the European sector as a whole, including requirements for firewalls, virtual private networks (VPNs) and ebusiness security transactions, will grow from $1.5bn this year to $7.7bn in 2005.
Strong margins
Margins remain very healthy, since security is so important that customers are prepared to pay handsomely for it. Even standard products like firewalls can still earn resellers margins of 25 to 30 per cent. There are also numerous opportunities for adding value, from consultancy and risk assessment, installation, training and penetration testing, to regular auditing, support and reconfiguration.
One of the great things from a reseller's point of view is that security never stands still. There are new threats, such as yet another virus or alternative method of hacking and denial of service, and new risks, such as when companies offer updated online trading facilities, install always-on access for remote workers, or change their database software. Any of these changes may make last year's security solution as ineffective as the Maginot Line.
"The smart resellers are those who can provide not just the product solutions, but also the ongoing service to support them," said Bernie Dodwell, UK sales and marketing director at security distributor Allasso. He estimated that, over a three-year period, a reseller could more than double the value of the initial sale through services, upgrades and health checks.
But despite being lucrative, added-value security services are very much part of the bread and butter, not the jam.
"The market is built on value-add. Without proper configuration, there's no point buying security in the first place," explained John Jones, UK channel sales director at security software vendor Symantec. "Security packages have to interoperate. If a company's firewall and antivirus software aren't managed properly, or the reseller and customer fail to monitor the implemented software, the company's network can quickly become vulnerable."
Because of the required specialist knowledge and integration of different vendors' products, much IT security is still sold through specialist resellers, or specialist departments within larger resellers. But there is an increasing interest among generalists. Many networking distributors have reported that security issues are becoming prominent with their resellers.
And although Mike Awford, UK channel operations manager at encryption and authentication vendor RSA Security, believes that the best resellers are the established security specialists, he said: "That's not to say that a generalist reseller can't sell security. We're seeing an increasing number of these firms setting up security focused divisions, and using their reputation as established brands to sell security successfully."
Jones denied the suggestion that the security market is becoming commoditised. "Some vendors package some products in a way that makes them easier to install, and this does broaden the appeal to resellers," he said. "But it should always be remembered that properly configuring security is still a specialist activity."
But Andy Shepperd, general manager of the networking division at distributor Computer 2000, argued that the rapid growth in the security market means that generalist resellers must become involved.
"The upsurge of interest in security has taken the industry by surprise," he said. "Last year, a lot of resellers found themselves lacking information when customers came to ask about their options. So there needs to be a higher level of understanding and awareness among resellers about the technologies, and about how to manage user expectations.
"We need to be able to instil confidence in customers. Firstly, so that resellers can actively approach them with propositions and, secondly, because security is becoming a strategic issue for many organisations. Resellers must prove that they understand it and can deliver solid solutions."
Building a strategy
The strategic nature of security - as something which is fundamental to the success or failure of businesses, not merely a 'nice-to-have' - is acknowledged by the industry, and by its more enlightened customers.
They know it should be designed into the original system, not bolted on at a later date. But too many businesses, especially in the rush to ecommerce, have still to learn the lesson.
"The increasing pressure to be first to market has led to the rolling out of a high number of internet portals, websites and ecommerce gateways which are riddled with security flaws," said Kenneth de Spiegeleire, manager of security assessment services for Internet Security Systems.
"Security is often considered as something to be achieved subsequent to roll-out. But this often turns out to be expensive or even impossible, as security can most often only be implemented if it's considered from the initial design stages onward. Hackers gratefully abuse this phenomenon."
In turn, this puts the onus on resellers to educate customers about the risks. "Resellers that understand the market will build consultancy services to help their customers understand the need to keep reviewing security," explained David Ellis, directory of e-security at ebusiness and security distributor Unipalm. "Some end users will buy a perimeter firewall and believe they're safe. It's up to the vendors and the channel to educate them about the risks involved."
A key message from the security industry now is that although perimeter controls are important, they are no longer sufficient by themselves. It is recommended that firewalls are deployed in front of key servers as well as at the perimeter.
Shifting employment patterns make it all too easy for perimeter defences to be circumvented. There are more remote workers with dial-in or always-on connections, which are unlikely to be housed in secure premises. There are also more temporary workers and trading partners that are increasingly being allowed access to some parts of a company's systems.
But they need to be rigorously excluded from other areas. Former staff, including some who have been made redundant or who left under a cloud, may still have passwords and expert knowledge of a system's layout.
Securing the front and back doors
The increasing use of VPNs also threatens perimeter defences. "VPNs tunnel straight through to corporate servers where an organisation's vital data resides," said Ian McKenzie, business development director at managed security provider Vistorm. "If security is focused on reinforcing the front door [the internet gateway], what's protecting the back door [the VPN tunnel]?"
Antivirus software may also require a multi-layer approach. Ellis recommends that it is deployed on firewalls and servers as well as the traditional location of users' terminals, otherwise a single email virus could trigger hundreds of separate alarms as each PC is hit.
New viruses appear all the time, hence the need for regular updates and patches. In June alone, 794 new viruses were discovered, according to antivirus vendor Sophos. New technologies such as Bluetooth and wireless local area networks (LANs) are introducing further threats.
"There's already a new term, 'war-driving', for probing unsecured networks from the safety of your car in the street," said Mark Brindle, vice president of technology at consultancy FrontRunner. "As PDAs [personal digital assistants] gain in functionality and more laptops come with built-in wireless LANs, more breaches will be caused by insecure wireless LANs."
Even mobile phones could be at risk from hacking and viruses, especially as more powerful 2.5 and third generation devices come into use. "Mobile devices are tremendously prone to loss or theft, which is a massive security loophole," warned Jason Holloway, UK manager at encryption and antivirus vendor F-Secure. "Thankfully, there haven't been any major instances of security loss with mobile devices, but it will be happening soon."
Hacking of websites is an increasing problem, and only makes the owner look foolish. "Website defacements are now so common that Attrition.org, which used to maintain a database of compromised sites, can't keep up any more," explained Brindle.
Old fashioned hacking remains popular with the bored, the disaffected and the plain spiteful. Amateurs can find hacking kits on the web, and most breaches are due to poor security rather than intelligent hacking, especially as franctic ecommerce roll outs encourage businesses to cut corners. There is an increasing tendency to target particular applications, not just mail and domain name servers but ecommerce packages and bespoke applications.
Denial of service attacks, which swamp websites or email systems with huge numbers of hits, are also a risk. They are exacerbated by the number of poorly secured business servers and home PCs which can be 'parasitised' by the attackers.
With so many threats assailing ICT systems, it would be easy for security resellers to focus exclusively on the risks and the awful consequences of getting it wrong. This has been a common tactic in the past, but it has a nasty tendency to backfire as potential customers come to view security as a costly overhead and just bury their heads in the sand.
Security as an enabler
A more profitable approach is to persuade customers that security is an enabler. "The driver for security changed in 1999," said Jonathan Wagstaffe, managing director of consultancy and networking reseller Connectology. "The idea that we need security because the world is full of geeky hackers was superseded by the idea that by implementing appropriate security we can enable our organisations to do millions of pounds of extra business over the internet. Network security used to be in its own box marked 'optional'. Now it is the essence of corporate IT strategies."
Security is becoming so complex that many businesses lack the expertise to run it in-house, especially since it needs to be constantly reviewed and updated as business needs change and new threats arise.
This is fuelling a boom in managed security services, in anything from antivirus, firewall, VPN and intrusion detection services, to remote audits, vulnerability assessments, penetration testing and 24-hour support.
"We think the opportunities in the managed security space are enormous," said Craig Whitney, sales manager for managed security systems at ISS. "The business drivers to outsource are so compelling that we believe most companies will outsource their security, or parts of it, in the future."
In North America, Infonetics Research found that 84 per cent of network managers plan to outsource VPNs, while IDC predicts there will be 61 per cent annual growth in managed security services until 2004.
Larger resellers can set up their own managed services operations. But for those who lack the resources or experience, vendors like ISS, and distributors such as Allasso and Unipalm, have begun offering managed services for the channel to rebrand and resell. Allasso now has more than 30 resellers selling its Activis service.
Whether they provide the expertise themselves or rebadge someone else's, highly competent security resellers will find a healthy demand for their services for the foreseeable future. But the emphasis is on competence, and woe betide those who mess up. As Dodwell said: "With security, you only get one chance. If you get it wrong, the customer won't return."
CASE STUDY: KEYFORT
According to Harvey Jones, sales and marketing director at specialist security reseller Keyfort, selling security is no picnic. Customers are often disorganised, short-sighted or plain mean.
"Even those who have a basic understanding of the need for good security are approaching it piecemeal," he explained. "It seems to be very reactive: 'I've just installed an expensive server, so I'd better protect it,'. Many purchasing decisions are cost-driven, but you can't build effective security with that mentality.
"At the peak of the dotcom era, many organisations were cash rich, and so were happy to install comprehensive security, but now the squeeze is beginning and that sort of spending is often the first to be abandoned. Security is expensive, and it's hard for organisations to see the benefits."
Half the battle is getting through to the right people. "It's generally the IT manager who makes the decisions about security," said Jones. "But as resellers we need to convince customers that it's the managing director and financial director who have a far better understanding of the value of their business and what needs protecting.
"It often takes a long education process on the part of the reseller to ensure that customers fully appreciate the value of their networks. This has to be achieved first, and it becomes a consultative sales process thereafter."
Increased competition can only make things tougher, so resellers will have to work hard to diversify and prove their worth to clients.
"As more and more resellers push security solutions, margins will inevitably drop," said Jones. "The only way to retain margin will be by adding value. We've looked at this and understand that it's hard for customers to see the benefits of a managed security service. If you have to think about the service you are getting, it's probably because something has gone wrong.
"So we have to make sure customers get good value from their service, but also that they can see they're getting good value. Then there will be a basis for a long-term relationship."
CONCLUSIONS
- The security market is experiencing strong growth as threats grow and reliance in ICT systems increases.
- Margins are healthy, with added-value opportunities and repeat business.
- Many security resellers are specialists, but general resellers are becoming interested.
- Constant change in both threats and business needs necessitates constant revision of security measures and policies.
- Perimeter security is no longer enough, and multi-layer solutions are becoming popular.
- Managed services are an increasingly attractive way for businesses to buy their security, offering opportunities for resellers.
Appearing in this article:
Allasso (0118) 971 1511
Computer 2000 (01256) 463344
Connectology (01844) 218383
F-Secure (01223) 257747
FrontRunner (020) 7539 2778
Internet Security Systems (020) 7626 7070
Keyfort (0870) 727 3535
Security (01344) 781744
Sophos (01235) 559933
Symantec (01628) 592200
Unipalm (01638) 569600
Vistorm (01865) 386900.