How to Successfully Sell Managed Internet Security Services

In the past decade, Internet security has evolved from a task that had to be handled in-house, to one that an increasing number organizations are happy to have a managed service provider handle. Here, the CTO of Network Box USA outlines how IT solution providers can effectively provide customers managed Internet security services. —Jennifer Bosavage, editor

Selling Internet security is quite different than selling any other type of IT-related solution. The very mention of the word “security” raises several antennas at every level in every organization. The only debatable thing is: How do we get to a secure posture that is rock solid?

Too many organizations see security as a function of compliance, rather than the other way around. IT solution providers are responsible for informing customers that although security will make them compliant, compliance may not make them secure. Unfortunately, in most small and midsize companies, compliance is the big driver, with security being a nice thing to have that results from the compliance efforts.

The idea of selling managed Internet security services was considered almost obscene 10 years ago when we started our company. Internet security was seen as something too top-secret to be delegated to an outsider, and yet no one was doing physical security in-house. That issue had already been overcome for many years; if an organization needed physical security, it delegated the task to a specialized company. Just what was so different about Internet security escapes me, but somehow customers thought something was different.

Today, the idea of managed Internet security is widely accepted. Industry analysts now calculate the managed security market is already around $5 billion and are forecasting it will grow to $12 billion by 2013. So, it’s time to gear up and learn whom to talk to and how to approach the subject.

Your chances of succeeding are higher if you talk to C-level people and present the proposition purely as a business one, showing them that they can save a large amount of money while increasing their security posture. After all, security is not a piece of technology but an ongoing, 24/7/365 task. Hackers never sleep, so neither can your potential customer; therefore, security needs to be done by a team, because one person cannot keep up.

The choice, then, is whether to increase in-house security personnel or outsource the task. An SMB can’t hire a team of security specialists; it’s too expensive, and the specialists would not stay long anyway because the career growth opportunities would be too limited, and the learning opportunities might be even smaller. To achieve real security, outsourcing is a great option for your customers, and the choice now is what should they outsource.

A few options to present:

• Outsource to us the details of your security, the mundane issues of watching over the edge of your network, upgrading and updating your software and signatures, making the necessary configuration changes, and so forth.
• Outsource as a consulting engagement the policies and procedures that will improve your security posture, but don’t outsource your overall security.
• Keep in-house the risk assessment; risk belongs to the customer, and a customer employee should watch over it.
• That approach shows the customer how, over time, a managed security service can provide real and strong security at a very affordable price – a fixed, no-surprises fee. CFOs love this story; there is nothing they like more than a low price that will not become a surprise at the end of the year. The total cost of ownership (TCO) is always a compelling argument for C-level decision makers. When calculating this, you need to be sure to encourage them to also consider the time and money spent when such tasks are managed in-house.
• Taking into account only the cost of the hardware involved is not a good measure of the TCO. The hardware, of course, is an important factor, be it a unified threat management (UTM) appliance (we sell Network Box’s own UTM, which includes numerous applications – firewall, intrusion prevention and detection, virtual private network, content filtering, anti-virus, anti-spam, anti-phishing, and anti-spyware) or individual devices. Whatever your customers choose, the hardware needs to be managed, monitored, and updated.
• It all costs money, but outsourcing will save the company a lot of dollars. That's because the service provider can spread its own costs over a number of customers, whereas a dedicated IT employee will bear the entire cost on the internal budget. Also, an employee needs vacation time, personal time, holidays, and other time away from the job. When those tasks are outsourced, this issue disappears as well.
• Finally, here are some tips relating to the all-important firewall. Do not talk about replacing the firewall with a managed solution to the person currently managing the firewall, unless he or she also has several other tasks and will be happy to relinquish that particular one. Otherwise, that employee will feel as though you’re trying to threaten his or her job and will start putting obstacles in your way. In addition, explain that changing firewall port configurations is NOT a strategic task in the realm of security. Risk assessment is strategic; overseeing the entire security posture is strategic; changing the firewall rules is definitely not.