IT and Business Insights for SMB Solution Providers

Security Is a Safe Bet for VARs

Rather than a sinkhole for client budgets, security consulting staves off threats, saves money, and often opens opportunities. It's also a high-margin added practice for VARs. By Erik Sherman

SECURITY WOULD SEEM like the ultimate dead-end IT activity. Companies spend money, get no added business value, software and hardware margins are low, and VARs see client IT budgets drained.

That doesn’t have to be reality, however. Wayne Gosselin, COO of 10-year-old VAR Centerpoint Direct in Atlanta, says that the company ’s security practice brings margins from 50 to 65 percent. “I had to buy an appliance, redundancy, and licensing,” he says. “Then the ramp-up time to get people certified and trained and then knowledgeable on the solution. Once the foundation is built, the margins are extremely high.&rdquo

VARs can show customers how IT security implementation staves threats, saves money, and even opens business advantage and opportunity. The result can be that SMBs find additional money for services and resellers get unusually strong margins that help bolster their overall business. To turn info security into a safe bet, VARs must learn how to adequately create, sell, and support service and product offerings.

PROS FOR CUSTOMERS
Years of news about security breaks, hackers, data loss, and resulting public relations nightmares have demonstrated that information security is a real issue. Although SMBs can be tight with a technical dollar, they are badly in need of better information security, and often know it. According to a 2010 study by market analyst firm Forrester Research, data security is a high-priority or critical-priority issue for North American and European SMBs. At the same time, 69 percent of firms say that cost and business justification for data protection projects and technologies are two of their biggest challenges in implementing security technologies.

According to a study commissioned by security vendor Symantec--so grab a pinch of salt--59 percent of SMBs have no endpoint protection to combine anti-virus with desktop firewalls and intrusion detection. Almost half don ’t back up desktops, and a third lack basic anti-virus protection. VARs that can address SMB security issues can fill a big need--and find a big opportunity. >

However, getting customers to embrace investment in security can be difficult. “A lot of the small businesses will question any expense,” says Harold Mann, founder and president of Mann Consulting LLC, a 13-person VAR in San Francisco. “When it comes to security, customers don’t want to spend money on it. The challenge is explaining to them how truly vulnerable they are.”

Education is easy if a customer has had an incident and either lost data or had to pay to rebuild a PC. Otherwise, the VAR must plan on a tailored education campaign to help a customer understand that it’s better to avoid a problem than to clean up after one. The reseller will have to find the right balance of argument to make its point. “Do they respond better to pain, or do they respond better to gain?” asks David Johnson, co-founder and vice president of The Fulcrum Group, a 10-person VAR in Keller, Texas. “A single incident could cost you more than the cost of the service for the whole year.”

Regulation can be a great pain motivator, and applies to a growing number of SMBs. For example, any business that “regularly extends, renews, or continues credit” or arranges for credit for consumers will come under the Federal Trade Commission ’s Red Flags Rule come January 1, 2011, and will need systems to note potentially fraudulent activity. That will include security. Companies that take credit card payments will need to consider PCI compliance.

Many SMBs already come under one set of federal regulations or another. Those companies often must demonstrate a security program to come under so-called safe harbor clauses and avoid potential liability, should there be a data or privacy breach. Gosselin often works with medical offices that will pay for security to comply with federal Health Insurance Portability and Accountability Act (HIPAA) regulation.

However, VARs in the security space will also note how property security and monitoring can help clients regain significant lost productivity, invoking the carrot as well as the stick. “They buy it for the piece of mind and security, then they get to see the reports,” Centerpoint Direct ’s Gosselin says. “They get to know what their employees are doing.” Reclaimed time formerly spent on personal email and Web surfing can translate into more work done with current employee resources, reducing operational costs.

THE SALES APPROACH
To address the more arcane aspects of security, including how it intersects with regulation, a company needs know-how, according to Mike Rothman, president of analyst firm Securosis. “You can’t compete with distribution leverage,” he says. “[Resellers] have to figure out where to specialize.” Credibility in security will require preparation and commitment. “Make the investment, understand how the business works, take the time to specialize, and build up a staff that knows how to take care of the clients’ problems,” he says.

Gosselin says that it could take six months to ramp up a security practice, with the investment breaking even in 12 to 18 months. “The more people you ramp up quicker, the shorter your break-even time,” he says. “Once you get a client sold on it, if they have multiple offices or home offices, it’s easy to incrementally grow more high business inside of it.” A SonicWall reseller, Centerpoint Direct went from bronze- to gold-level status within a year.

Some VARs have found that intelligent partnering is another route to expertise. Chadds Ford, Pa.-based Dorset Connects, which specializes in network infrastructure consulting, “made a conscious business decision not to seek expertise in security personnel,” says President Rob Sparre. Instead, the firm partnered with Evolve IP, a managed service provider. “We can hire them out on a project-by-project basis.”

In part, expertise means that security becomes more than a courtesy offering to customers. Resellers must get beyond just suggesting anti-virus software or firewalls. Syzygy 3 in New York City works with clients that run from five to 500 users in size and offers security consulting. “There’s no margin [in product sales], unless you're selling millions and millions of dollars of equipment these days,” says principal Sean O’Rourke. “You offer to procure it so that you know the right piece of equipment is being ordered. If you left it to the client, there could be a miscommunication or misunderstanding, they buy the wrong thing, and it ends up costing the client more.” Syzygy 3 generally gets only 2 to 5 percent on such sales--just enough to cover credit card fees or floating receivables.

Syzygy 3 makes its money on planning and services. “IT firms are very much like law firms,” O’Rourke says. “You ’re paying for our brainpower and experience. If you tap into that, you’re going to get charged for it.” It’s understanding that puts the value in VAR.

Jim Lippie, president of Lawrence, Mass.-based Staples Network Services by Thrive, the chain's SMB consulting arm, says, “There are so many things that you could spend money on to make your network secure, but don’t lose sight of the quick, easy, cheap things you should be doing.” Help a customer establish prudent business practices with basic security equipment and software and you can help it to get 80 percent of the way to where it needs to be.

To keep from unnecessarily draining the client’s budget and pouring revenue into low-margin areas, Syzygy 3 interviews the client and then sizes a hardware firewall to meet the company’s current number of employees, and also provides enough capacity for expected growth over the next few years. The reseller uses hosted anti-virus and anti-malware solutions. For small clients with fewer than 10 employees, it sometimes suggests some use of free software, such as Microsoft Security Essentials or products from AVG.

Having in-house expertise offers another advantage. Even if a client or prospect uses another VAR for security services, it will still need an audit. “Security can be a little bit like the fox guarding the hen house,” says Sparre of Dorset Connects. “We don ’t believe that it’s in our customers’ best interest to have us do our own security audits.” Another firm should perform them. The converse holds true as well. If another firm provides security, a VAR can sell audit services to a company.

Many VARs that work in the security area offer managed services to their clients. Not only is there annuity revenue, but the margins can be strong. Not all make upwards of 60 percent like Centerpoint Direct, but healthy profit in the area is common.

For example, College Station, Texas-based ABC123 IT regularly sees 40 percent margin on a managed security appliance it leases to customers. The gateway device includes anti-virus, anti-spam, intrusion prevention, Web filtering, and phishing protection. The VAR’s pricing is by the number of users and starts at $75 a month, generally presented as part of an average monthly contract of $1,200 to $1,500. That includes one day a quarter for on-site maintenance.

“It probably took four to six months to refine the package down to that price,” says ABC123 IT CEO Mark Shehan. “When you tell them the monthly cost, they often give a sigh of relief. They usually see a pay-off in month one or month two.”

“Using managed services is a great way to mitigate the drain on the budget, because it’s a fixed price, you know what it is every month, and it covers what you need in that area,” says Johnson of The Fulcrum Group. Nevertheless, selling the customer on the concept is still necessary. “It may not be a huge amount of money, but it’s $1,200 or $1,800 a month, and their entire IT budget is $25,000 a year, and it becomes a question of where do I cut to buy that, or is it just one of those things I have to have.”

There’s another danger to price sensitivity. Clients could opt for inexpensive services that don’t deliver when they need to. Staples Network Services’ Lippie has heard all the stories about consumer-level online backup services that are cheap, but that have bad reputations when it comes to making archived data available after a computer crash. “I call it the fitness club model,” he says. “They sign everyone up, and then they hope [the customers] don’t show up.”

But even if customers take the cheap route and are unpleasantly surprised, the VAR’s time educating them will still pay off, according to Mann: “The good news for the VAR is, if they make the investment in educating the client in a productivity way, when that eventuality occurs, the VAR is going to look like a prognosticator and the customer will respect the VAR after that.”