CRN Research: Solution Providers Expect To Shoulder Financial Burden Of Spectre, Meltdown Mitigation

Many customers look to their local solution provider to navigate the Spectre and Meltdown patches and those companies are forced to absorb the costs from the fallout of the security flaws.

According to an exclusive CRN survey, almost 46 percent of solution providers are absorbing costs of the Spectre and Meltdown mitigation themselves, including sales, general and administrative expenses (SG&A).

CRN conducted an online poll of 190 members of the CRN Channel Intelligence Council, a panel of solution providers representing the broad channel ecosystem in North America. In the survey, solution providers ranked the vendor responses to the Spectre and Meltdown vulnerability issue on a scale of one to five, with five being the top mark, or "excellent."

[Related: Nutanix Tops Gartner's Magic Quadrant For Hyper-Converged Infrastructure]

Sponsored post

"There are additional things we have to do … we need to absorb the cost; there's some time we're taking to be vigilant and stay on top of the Intel guys so we can then disseminate that new information to our customers," Barrett Lamothe, federal sales team lead at MicroAge, a Tempe, Ariz.-based Intel partner, said.

Channel partners are dealing with the fallout from the Spectre and Meltdown security flaws, which were revealed in January and impacted chips from multiple vendors. The flaws, which account for three variants of a side-channel analysis security issue in server and PC processors, potentially could enable hackers to access protected data.

Moreover, while Intel has worked to issue patches for these exploits, the company in January acknowledged that some companies are reporting reboot issues with both older and newer chips – including Skylake chips – for both client compute and data center after they patched their devices.

For partners, that has meant deploying patches, chasing down information from Intel and OEM sales reps to help clients understand the safety and performance implications of Spectre and Meltdown, and acting as a middleman between OEMs, chip manufacturers, and clients.

Beyond absorbing costs, up to 54 percent of partners CRN surveyed are covering the Spectre and Meltdown mitigations through existing managed services contracts, while 29 percent are selling new managed services contracts. Up to 12 percent of partners said that they are getting reimbursed from vendor partners.

Lamothe, who said about 90 percent of his customers had completed all the Spectre and Meltdown updates available to date, is both selling new managed services contracts and absorbing the costs himself.

Lamothe said that he estimates he will absorb between 1 to 5 percent of SG&A expenses as a result of performing Spectre mitigations at no charge to customers. A majority of those costs are due to the extra time spent on "being vigilant."

"We're staying in touch with our reps, going in and working on new patches. That patch management is just something else we're going to have to do," said Lamothe.

Those costs are adding up – of those solution providers who absorbing costs, 61 percent of CRN survey respondents said they estimate they will absorb between 1 and 5 percent of costs, while 33 percent estimate they will absorb between 6 and 10 percent of total costs. Meanwhile, 6 percent of solution providers said they expect to absorb between 11 and 15 percent of total costs.

Mike Barg, chief engineer at Lexington Consulting, a Lexington, Mass.-based consulting firm, is working with his clients in the biotech, manufacturing and life sciences markets to ensure that they are fully patched and up to date in the wake of the Spectre and Meltdown fallout.

A lot of the time dealing with these security flaws, which Barg says is necessary for helping his clients, has been spent "after hours." For solution providers working with larger customers, those costs could be even higher, he said.

"We are absorbing the costs as we're looking at the time it takes to put the patches on all PCs – there's a time factor there, which we need to do in our off hours, but we have to take care of those things," he said. "It's a function of scale ... for a client with thousands of PCs, these patches are very significant."

Joshua Liberman, president at Net Sciences, an Albuquerque, N.M.-based managed services provider, said that he has not heard of concerns from customers around Spectre and Meltdown – but has a mitigation plan in place for future patches that involve absorbing the cost to help certain customers.

"We are going to patch any machine that we've built that's under warranty, and we'll also cover anyone on a flat rate managed services contract on any machines that we support," he said. "We will absorb the costs. But beyond that, we're just doing research and testing in shop, as well as poking Intel to get a sense of what will happen and what kind of timeframe we're looking at."

Moving forward, Liberman said he wants to see more caution from vendors around addressing security – as channel partners are left helping pick up the pieces after big security issues hit the industry.

"The entire industry is in a headlong rush toward moving fast ... but that's not the way to design architecture that's the underpinning of life," he said. "We need to fix the problems we have now first."