FOR YEARS WE’VE HARPED on IT service providers to shift their offerings from commoditized solutions to more advanced fare that will better grow their businesses. But while leveling up is a noble endeavor, it’s not one to take lightly. That goes double when you’re tackling information security. Yes, the white-hot security market offers profit-minded channel partners a path to more complex, high-touch, high-value services. But as with most promising opportunities, it comes with a cautionary note attached.
For the second year in a row, information security topped the growth-potential list on The 2112 Group’s annual Channel Forecast survey, besting other emerging technologies such as cloud infrastructure, Internet of Things, and business process automation. In the wake of yet another year of large, highly publicized data breaches, security remains front and center in boardrooms and IT shops as well, and is consequently top of mind for 56 percent of growth-hungry solution providers, according to our research.
But spinning up a legitimate security practice involves more than just bolting on a few isolated products and adding security to the line card. Security requires deep domain expertise in threat modeling, risk assessment, vulnerability management, and risk mitigation that most IT service providers lack. Only a small fraction of solution providers—about 1 in 5 by our research—have what can be considered a true security practice with distinct operational departments, certified experts, documented frameworks, and systems built on integrated technologies.
There’s a bright side to our research, however. Solution providers that do invest judiciously in security practices enjoy higher average sale prices, profit margins, and sustained customer relationships, our data shows.
Moreover, solution providers have a significant advantage over boutique security specialists: They know the client’s business and infrastructure intimately. Putting this advantage to work in the context of information security is crucial to a successful security practice.
Here’s a short list of best practices for developing a quality security services offering:
Find your focus. To craft a business plan for a security practice, figure out what problems the market needs solved and what resources—human, technical, and procedural—are necessary to solve them. Remember that your value-add in security will be your methodologies and your processes more than your product offerings.
Master the domain. Security is a domain unto itself—part science, part art. IT chops alone aren’t enough. Industry specializations have given many partners a leg up in understanding risk assessment and mitigation in their chosen vertical. Start there and work to build more robust, scalable processes that encompass increasingly complex security issues.
Bring in experts. Much has been written about the relative value of security certifications like CISSP, Security+, and CEH. For a new practice, these credentials indicate that you understand the nuances of security and are willing to invest in the skills needed to safeguard customer assets.
Choose vendors wisely. Cut through the marketing noise and industry clutter to select a group of vendors with offerings that fit your practice’s vision, roadmap, and support requirements. While many vendors claim to address the entirety of security concerns, the reality is that it will take a collection of targeted, integrated technology tools to support the services you deliver.
Establish your process and brand. Over time, a good security practice will amass a trove of intellectual property in the form of assessment and mitigation methodologies, policies, and processes. These become the calling card of the elite security service provider, a way to demonstrate unique value and competitive advantage in a crowded security marketplace.
Security is a prime channel opportunity, to be sure. But just because solution providers can do something doesn’t mean they should. In security, the stakes are high and the margin for error is tiny. Playing within your capabilities and doing it well is the only sure strategy for long-term success and profitability.
CHRIS GONSALVES is vice president of research at The 2112 Group, a business strategy firm focused on improving the performance of technology companies’ direct and indirect channels, and former director of technology research at the Institute for Applied Network Security (IANS).