Even as their IT spending becomes more judicious, enterprises continue to invest heavily in security technologies as they attempt to fill the holes opened by years of network expansion. Experts advise solution providers who are serious about the security business to focus on vulnerability assessment and policy-management consulting services rather than duke it out for low-margin installation services.
Simply selling and installing antivirus and firewall software offers little profit motive, many solution providers say. Because nearly 90 percent of solution providers offer such services, differentiation is difficult, according to Symantec, a maker of antivirus software.
Besides, many firewall and antivirus vendors keep their high-volume business to themselves. Computer Associates, for instance, sells direct to its biggest clients, such as Ford Motor and Goldman Sachs, cutting out VARs.
Price pressures have squeezed the margins out of those products for good. The only outfits making money there are volume resellers. Besides, most midsize and large enterprises already have firewalls and antivirus software in place and are focusing instead on developing policies and procedures to ward off unconventional threats.
"People are starting to wake up to the fact that just because they have a firewall in place doesn't mean they're secure," says Drew Koellmer, business development manager at Rutter Networking Technologies, a Woburn, Mass.-based network integrator with 20 staffers. "They're starting to realize that security breaches come from inside the enterprise."
The good news: The presales and postsales services most in demand,assessing vulnerability, auditing security practices, creating security policies for clients and stamping out virus outbreaks and attacks as they happen,carry profit margins many times greater than those associated with simple installations and maintenance contracts. That's because clients generally don't know how to do these things on their own.
"Where there's mystery, there's margin," says Mike Menegay, vice president of channels at McAfee, the antivirus software unit of Network Associates.
But more than just yielding higher margins on a one-time sale, these services create an ongoing relationship with the client,and, hopefully, residual sales. Those sales could explode if spending on the Internet and enterprise networking picks up steam.
"Every time you expand the network, you are potentially creating security holes," says Mark Drum, director of channel marketing at NetIQ, a maker of firewall and vulnerability-assessment tools. "That's a great potential for high-end resellers."
Michelle Drolet, CEO of Conqwest, a security specialist with 17 employees in Holliston, Mass., says that when a client beats her up on price, she walks away. It's not worth fighting when there's no margin at stake, and besides, it's clear that the client doesn't see the value in Conqwest's services. Drolet advises solution providers to take a long look at the security arena. It's not so much an opportunity to sell products but an entree to be a partner in a long-term project, she says.
"PKI isn't a product. VPN isn't a product. They're part of a whole plan," Drolet says. "When you have products you can make into projects, that will bring you higher margins across the board."
Even antivirus protection isn't simply about installing detection software onto every desktop. True protection requires protection at the desktop, server, e-mail gateway and firewall, she says.
Drolet's clients are putting their money where her mouth is. Last year, products accounted for 85 percent of Conqwest's sales. That figure is now down to 70 percent and should dip below 50 percent sometime next year, she says. Profits are up as a result, though she won't say by how much.
While solution providers don't have to specialize in security, it's a must-have discipline. Just ask Koellmer: "Security isn't a line item for us," he says. "It's in every project we do."
Even operating-system installations can become security projects. "When we upgrade clients to Windows 2000, security is always in the mix because of the inherent flaws in Windows 2000," Koellmer says.
Perhaps that explains why security is one of the few categories where corporations are still spending. While technology spending, in general, looks to be flat this year, security spending remains strong, according to a Goldman Sachs survey of Fortune 1000 IT executives published last month. In the survey, security ranked second only to disaster recovery, which got a boost following the September terrorist attacks. Some security categories may see compound growth rates of 20 percent or more in the next few years, experts say.
Many solution providers got into the security business almost by accident. They started out as network integrators and gradually needed to address new vulnerabilities exposed as back-end systems for managing financials, inventory, ordering and customer data were linked to one another. Indeed, a big driver of security consulting has been the emergence of collaborative applications that let partners work together via the Internet.
One client of Milwaukee VAR Galaxy Data,a large consumer-goods manufacturer,recently launched a Web portal to keep track of goods shipped to distributors. It draws on data from all the participants' back-end inventory and logistics systems. Consequently, an attack could come from any of a dozen or more sources attached to the portal. A breach could wreak havoc because it could halt the flow of goods.
"The more complex a networking implementation is, the more you need an understanding of how computers and communications work" and where security holes are opened up, says Lisa Pettay, president of Galaxy Data. The 14-employee solution provider billed $6 million last year.
Much of Galaxy's business comes from companies as they upgrade their Internet connections from one T-1 link to DS3s from multiple providers. While that move provides higher bandwidth availability, it also introduces the need for new firewalls at each gateway, as well as for advanced intrusion-detection systems that trigger alarms as soon as a breach is detected.
Virus experts estimate that nearly 90 percent of virus attacks come through corporate gateways from the Internet.
When building a security portfolio, the foremost concern should be to select technologies that integrate well together. "In security, it's vital that the jigsaw puzzle fits together," says Allyson Seelinger, Symantec's vice president of channel programs. "Cracks mean vulnerability."
That's one reason why Conqwest chose Computer Associates' eTrust line of security products, which includes antivirus, intrusion-detection, content-inspection, PKI, VPN, directory and management packages. "The CA stuff isn't best-of-breed, but the sum of the parts is pretty awesome," Drolet says.
Start-Ups Are Innovators
But don't feel bound to large vendors. Historically, the best security technologies have been hatched by small outfits that later became part of big vendors, Drolet says. Even if your first encounter with a start-up isn't successful, sometimes it's worthwhile to give a promising company a second chance. For example, the first time Drolet's team battle-tested intrusion-detection technology from Okena two years ago, the start-up's software crashed Conqwest's systems.
"They weren't ready, but we liked their technology," Drolet says. "They came back to us [recently and now we're doing an implementation with them in the motion-picture industry. It's impressive technology."
Galaxy's Pettay points out that start-ups are the source of most security innovations.
"Look at Cisco," she says. "It made a big push into security, but look under the hood and its intrusion-detection stuff came from Intercept, a small player. A lot of Symantec's antivirus software is pieces that came from somewhere else."
Working with a small developer before it's acquired gives a solution provider a competitive edge, Drolet notes. Just be sure to examine the start-up's finances before making any commitments, she adds.
Certification on the products you install and maintain is critical, experts say. But don't be fooled into thinking that just because you can install a firewall, you're equipped to provide a full range of security services.
Even product vendors concede that security success isn't assured simply because a solution provider has a solid product portfolio. Engineering skills are more important. "An inferior product configured correctly is better than a superior product configured incorrectly," McAfee's Menegay cautions.
Still, some niche security VARs say they're cashing in on seemingly simple installation services. "We're making a lot of money on desktop-level virus protection," says Mark Sager, head of technology at network integrator Savant Solutions, Rochelle Park, N.J. "People just can't stop infecting themselves with viruses."
Fears of cyberterrorism in the wake of Sept. 11 haven't triggered the spending binge on security technology that many expected. However, there are signs that awareness on the part of
business-line executives has increased.
"Heck, even [homeland security director Tom Ridge is talking about firewalls and intrusion detection," Symantec's Seelinger says.
Rutter Networking, 60 percent of whose business is state and local government work, has seen municipalities spend more on antivirus protection, Koellmer says. And Galaxy's Pettay predicts that municipalities will soon increase spending to secure the systems control and data acquisition (SCADA) systems that manage the water, electrical power and street lights across the country.
Still, most enterprise security spending is aimed at blocking nuisance viruses such as Nimda and Melissa, these solution providers say.
Experts agree there's no easy way for newcomers to break into the security-solutions market. The barrier to entry is high because a security focus requires advanced engineering skills. Certification in a broad range of security technologies is a must, as is a holistic understanding of how various software and hardware components across the network can introduce security holes.
"If someone just starting in the business doesn't have engineers with a very complex understanding of how networking works, they will struggle,"
Pettay says. "You don't gain those skills by going to a firewall class."
Vendors give solution providers low scores for their security expertise. Simon Perry, CA's vice president for eTrust security solutions, gives most VARs a rating of 6 out of 10. In Menegay's estimation, no single provider can offer security services from A to Z. That's why the McAfee executive advocates aggressive partnering among providers.
"If you don't have security auditing, don't be shy,partner with security practices that do," Menegay says. "This way, they don't poach on the product sale to your client, but they bring value by doing the consulting and configuration services on the contract."
Indeed, it's risky to spend a lot of money to retrain your consultants or hire new ones, especially when you consider how many new security technologies, such as biometrics, VARs will have to contend with in the next few years. Partnering minimizes the risk, while giving even new entrants access to security business.
"There's a way that every VAR can provide the solution without having to fund it and build it all by themselves," Menegay says. n
David Joachim is a freelance writer in
Port Jefferson, N.Y. You can reach him at firstname.lastname@example.org.