Profit acquisition models for security integrators and resellers shifted years ago from selling hardware and software to value-added and managed security services. Those who failed to adjust are gone.
As more security vendors are acquired, security VARs will likely change their business models, disappear entirely or become vendor marketing and sales extensions.
We are now at another precipice of change: VARs that traditionally profited from wrapping "value" security services around hardware and software face a new reality because margins are being pushed down by core security hardware and software vendors unapologetically going direct, leveraging mega resellers such as CDW and Dell, and now integrating their software into hardware. The tight economy, cheaper products, simplified tools and security Software as a Service (SaaS) coming of age, are all pushing down the number of opportunities, skills required and profits.
Additional profit pressure is coming from fewer clients opting for on-premise infrastructure solutions. Independent software vendors (ISVs) are investing billions in the cloud to replace infrastructure that traditional security VARs are paid to protect. In fact, with the rapid advance of the thin client computing model, soon most midmarket companies won't need much more than thin clients, an Internet connection and a cloud security solution.
As more security vendors are acquired, security VARs will likely change their business models, disappear entirely or become vendor marketing and sales extensions. In addition, the "license-to-direct" security VAR model minimizes the channel relationship. When a VAR's client needs support in a cloud model, they call the vendor. When it's time to re-up contracts, or the vendor has new offerings or upgrades, they go direct and many times make suggestions counter to the security VAR's professional advice. Cloud security compensation models don't generally recognize the security VAR's relationships and/or value beyond the sale. Vendor programs often encourage the client to cut the VAR out through bidding competition in a commodity market or the vendors pay the VAR so little in recurring, it isn't worth the time or liability to maintain the relationship.
Here are 10 things security VARs can do to lessen this pressure and increase their viability:
Don't pretend; become a real expert in the threats your clients face. Look beyond what you sell.
Provide in-depth, entity-wide risk analysis that examines all facets of client's security posture. Ensure clients look to you for vulnerability assessments and remediation strategies.
Take advantage of the massive regulatory expansion. Get fully educated on your clients' specific laws and regulations. This makes you able to represent them in the choosing of solutions and to challenge any comers competing for client mindshare. Large vendors will never be able to compete with a fully educated and trustworthy provider.
Be able to blow the client away with your understanding of their legal and regulatory obligations, not to confuse them or scare them into buying something, but to show you are an invaluable asset and protector of their best interest.
Resist using marketing materials and pitches that exaggerate how wonderful products are and how they "make the client compliant." No product can make any company compliant with any of the state, federal and industry regulations. They all require human interaction, policies and procedures, and management that no box or lines of code can deliver.
Move beyond IT into information security. Information security means you are protecting the data from loss, theft or damage. Protecting the integrity and availability of the data are as fundamental to security as blocking a hacker or a virus.
Recognize that hardware and software are only a fraction of the solution for securing a client's livelihood. Physical-premise security, training, auditing, technology evaluation, ongoing testing and documenting policies and procedures in accordance with applicable regulations are all things that are difficult for a large vendor to deliver.
Choose vendors for the quality of the security solutions they offer and value they provide to the client, not the margin you receive. If the client thinks you are not about them, they won't be about you either. This is especially true in the realm of security.
Get involved with the regulatory bodies and legislators that are making security and privacy laws. Become the firm they look to for answers. This provides a level of credibility and relationship that no vendor can achieve.
- Stop being a brand-carrying pack mule for security vendors. Differentiate yourself and brand your services regardless of what is under the wrapper. That way you can eject a vendor for crossing the client line or failing to stay innovative or price competitive.
About the author:
Kevin B. McDonald is Executive Vice President and Director of Compliance Practices at Alvaka Networks, a 27-year strong Network Services and Security leader in Irvine, California. He is a trusted technology and security consultant and public policy advisor to some of America's most influential people and organizations. He serves as a senior advisor to businesses, state and federal legislators, law enforcement leaders, charitable boards, abuse prevention professionals and municipalities. He is a sought after presenter, panelist and commentator. McDonald consults on the issues surrounding advanced technology, physical and logical security, regulatory compliance, organizational development and more.