In-depth: Tips for selling security-as-a-service

Billy MacInnes looks at the growing market for security-as-a-service and the reseller opportunities it presents. There's nothing intrinsically new about security-as-a-service.

security concept.jpgBilly MacInnes looks at the growing market for security-as-a-service and the reseller opportunities it presents.

There's nothing intrinsically new about security-as-a-service. As Ian Kilpatrick, chairman at Wick Hill, points out, resellers have been delivering managed security and services for years, and we might now term these cloud solutions.

By common consent, one of the most successful areas for security-as-a-service is hosted e-mail security. It's not hard to see why something that, in the words of Peter Craig, EMEA senior product marketing manager at Trend Micro, "makes a lot of sense as mail can be filtered 'in the cloud' and delivered spam- and malware-free to the organisation's mail server" would gain strong acceptance.

This type of service, he adds, is particularly useful to small businesses which don't want to maintain an e‑mail gateway, with its associated costs and administrative burden.

Stephen Ennis, services business development director at Avnet Technology Solutions EMEA, agrees that e-mail security is a great example of the security-as-a-service model and it encompasses a range of solutions, such as antivirus and anti-spam, encryption, archiving and compliance.

E-mail a good starting point
Nessa Lynchechaun, UK channel director at Mimecast, describes e‑mail security as a logical starting point for adopting security-as-a-service. "Securing e‑mail at rest, in use and in motion is a key part of any IT strategy, and doing that in the cloud has significant advantages for confidentiality, integrity, availability and control. Delivering all four to an equally high standard is a complex task that requires a mix of tools and technologies, which makes it well suited to a cloud service," she says.

Lynchechaun has a vested interest in making the point because of the nature of Mimecast's business, but a survey by the company found that a lot of customers were interested in it too, with 77% planning to upgrade to a new e‑mail system and 86% saying they were willing to pay a premium for third party services to ensure a safe and secure migration.

She says resellers can exploit this need by advancing the merits of moving on-premise e‑mail security, which she describes as a complex process requiring time and resources that would be better deployed elsewhere, into the cloud.

The interesting thing to note is that many customers may already be using some form of security-as-a-service without knowing it.

"When asked if they use software-as-a-service or security-as-a-service, most IT professionals will say 'no'," says Ronan Kavanagh, CEO at SpamTitan, says. "However, when you dig a little deeper, many are in fact already deploying security-as-a-service in the form of e‑mail antispam and antivirus security."

A range of choices
There are at least 10 different types of security-as-a-service offered by IT vendors today, according to Xavier Juredieu, vice-president for business development at AVG. These range from endpoint security to network security to e‑mail and web security, as well as data loss prevention, backup and disaster recovery, intrusion detection and identity management.

But he warns their value "can vary widely according to their licensing model, pricing policy and system architecture".

The reason there are so many offerings may well be because security is one of the 'as-a-service' markets to which there are the fewest barriers to entry, says ZyXEL product manager James Harris. But he cautions it still requires a certain amount of commitment, both in terms of equipment and personnel, to set up a service. "You'd need to be pretty sure you are going to get the return on investment - and you'll need good levels of expertise, excellent monitoring tools and the business processes to go with them," he says.

Security-as-a-service appeals to customers for a number of reasons, says Mark Hyland, UK country manager at Fortinet. For instance, they might prefer the option of paying for security services on a monthly basis as an opex rather than capex cost. It also reduces the worry of having to manage the daily updates that might be required with hardware because they can be done automatically via the cloud.

Kilpatrick agrees that the shift from capex to opex, partly driven by the recession, along with a reduction in staffing, is helping to advance the security-as-a-service cause.

But he warns that while it may be the preferred option for some customers, it will not be for others. "There are those which still want to manage their own security and they have many business, technical and commercial reasons why they would continue to do so," he says.

Florian Malecki, EMEA senior product marketing manager at SonicWALL, is another of those not getting swept away. He says security-as-a-service will be attractive to SMEs that might not have the human resources or technical knowledge to run their own IT security: "Security-as-a-service or managed services is a great option for them: plug, play and pay."

But he points out that it is a different story for larger organisations. Some may be attracted by the option of shifting from capex to opex, but large organisations tend to not use security-as-a-service and prefer hosting and managing their own IT security infrastructure, he says. The one exception is hosted e-mail security.

smartphones.jpgMobile suitability
Another factor that will help to drive adoption, according to Mark Fullbrook, UK and Ireland director at Cyber-Ark, is the fact that many users are so much more mobile. "While it is hard to just throw up defences, it is far easier to secure a user via a cloud connection. The sheer scale of users or connections and locations for data mean a cloud-based system is often the only option for providing complete security coverage," he says.

Kilpatrick agrees. "Cloud-based mobile device management and security, principally smartphones and tablets, is one good opportunity because it's a growing area that users recognise as a threat and where they typically haven't got any defence. It's also low cost and can be implemented without having to change existing infrastructures," he says.

Kilpatrick adds that hosted antivirus is another good entry point, as is a managed firewall or unified threat management environment with quarterly or annual billing.

Ennis at Avnet says the cloud is a natural place for security. "As many of the potential threats come from the internet, it makes perfect sense to use the internet, and thus the cloud, as the source for protection. The threat can be removed before it gets to the organisation rather than having to deal with it inside the organisation," he argues.

Selling specialist skills
Ash Patel, UK and Ireland country manager at Stonesoft, believes it is "imperative" that SMEs move to a security-as-a-service model for a lot of the same reasons outlined by Malecki. "The skills needed in IT security are increasingly becoming more complicated, and security can no longer be just a side job delivered by someone in IT. Security is becoming more dynamic, and because of this we need to be more fluid in the delivery of it," he says.

Patel points out that it makes more sense for SMEs to use specialist security resellers to deliver a managed security service with a strong service level agreement (SLA), which would be a "huge" opportunity for resellers.

But he says they should take a close look at vendor managed security service partner (MSSP) programmes. "Many vendors offer specialist MSSP programmes where they deliver their tool set to resellers on a loan basis and the reseller only pays a licence fee, which means there is little investment and a comprehensive suite of technologies for the reseller."

Harris at ZyXEL says most resellers with a solid security networking accreditation might want to consider offering active, hands-on management of security devices and regular check-ups and updates as an all-inone service "more or less straight away, and with little upfront investment as this kind of service might act as a stepping stone towards offering a remote monitoring security-as-a-service proposition later on".

Advisory role
While many vendors already offer remote services that resellers can resell, he says they are more suitable for the lower end of the SME market and consumers: "In the wider context, you just can't make one size fit all the different security needs of businesses. In the security market, as much as any other, you will still need resellers to advise, install, configure, manage and maintain, and to provide security and other 'as-a-service' options for customers. As a channel, we have to give customers a choice and cater for every customer's needs."

Steve Morgan, channel and commercial sales director at McAfee, agrees that the channel needs to respond to the growth in cloud computing and provide a consultative experience to customers. "Resellers, partners and VARs are perfectly positioned to use their knowledge of the cloud and IT space to act as a special advisor to companies on the most appropriate cloud and security solutions to meet their needs," he says.

The reseller's role as advisor is also taken up by Tony Rowan, technical director for networking and security at Avnet. He suggests resellers should concentrate on serving their customers by being a trusted advisor that works with them to understand their business and its risk to identify the right combination of security services to manage and control those risks within budget.

"By working with customers to find the right combination of services, resellers can reap long-term rewards in the form of annuity revenues and can concentrate on serving the individual needs of those customers," he says.

There is a sound business reason for doing this. If a partner is merely fulfilling product requests from an informed customer, the opportunity is limited. "That kind of customer is easily capable of finding the service they need directly over the web," says Rowan.

Find your niche
Juredieu at AVG says that in the past, companies may have had little option but to call upon the services of local IT experts to fix technology when things went wrong. But today SMEs can access "a whole range of software-driven web-based alternatives that are easy to deploy and offer attractive pay-as-you-use pricing".

While a growing number of resellers have made the switch to managed service providers, the vast majority are still wondering if they are ready for it or even if they can afford it, he claims. Resellers need to make a choice on where they want to play, because one size does not fit all. But those that don't adapt are in danger of losing relevance if they don't change.

Kathryn Miller, professional services manager at Alvea Services, says initial opportunities for resellers may lie in educating customers on the benefits of security-as-a-service and creating flexible, bespoke solutions tailored to their individual needs.

They can then create and market their own managed security services or partner with an established MSP. Linking with a distributor that already provides managed security services can give resellers access to training, sales support, marketing materials and legal contracts - without having to make the investment themselves.

She adds that because the security-as-a-service market is still young, it's a great opportunity for resellers to establish themselves early on as leaders in this growing market.

Mark Herbert, business development director at intY, says resellers need to pay attention to security-as-aservice because customers want scalability and flexibility from a security
solution, and cloud-based solutions give it to them. "They aren't afraid of cloud any more," he claims.

Herbert adds that cloud service providers dedicated to the channel allow resellers to sell cloud security solutions to large organisations that would previously have been out of their reach.

He also warns that the market is switching from box-shifting to cloud services: "This is what customers want and those which don't recognise this will struggle. There are challenges, of course, but having the ability to recognise and execute the transformation of your offering and couple that with a flexible and agile pricing model that will increase your revenues, customer creation and retention."

paper dolls supply chain concept creatas.jpgChanging channel dynamics
Hamish Macarthur, CEO of research company Macarthur Stroud, is more questioning of the nature of the vendor/reseller relationship in the post-cloud era. For example, vendors have a habit of changing partner programmes. What happens if a vendor increases its minimum requirement and the relationship is terminated? With the contract continuing in the cloud, who gets compensated? "It's not clear how things work out," he says.

Dave Stevinson, sales director at VIP Computers, also questions the long-term relationship between vendors and resellers in a cloud services model. He believes resellers can help alleviate any concerns customers may have about trusting vendors with their data in the cloud, perhaps by injecting their own security policies into cloud services.

They might also be able to provide third party assessments of cloud service provider security policies, procedures and capabilities as a service, but as the cloud evolves and vendors
prove they can be trusted with customer data, it will become increasingly difficult for traditional partners to sell security-as-a-service.

"Businesses will become more reliant on their cloud providers to assume responsibility for security, and many vendors are able to provide high levels of resilience with their own internal systems," he says.

Kilpatrick at Wick Hill is not convinced things will move as quickly as some believe because he's not sure the vendors are completely committed to the cloud services model yet. "There's a dichotomy," he says. "Vendors want to be in on the cloud, but at the same time many of them make lots of money by selling their products and services through the traditional model. That remains the main revenue source for most vendors."

Key drivers of adoption

Offers organisations complete endpoint, e-mail, web and network protection through the cloud, saving the IT department time, effort and costs, and increasing the level of knowledge and expertise of those managing the services.

Automated auditing, remediation and reporting. Cloud vendors can conduct  automatic/automated scans and other checks against infrastructure and systems to validate their security status.

Customers benefit from the visibility and security credibility established by the vendor.
Helping providers identify and mitigate potential technology vulnerabilities.

Source: Alex Hilton, managing director, Rise Partners

Benefits of security-as-a-service

Reduces or eliminates dedicated hardware  purchase/support/maintenance costs - security-as-a-service can benefit SMEs that require a high level of security but don't have their own IT resource.

Reduced bandwidth costs - by managing incoming traffic such as e-mail in the cloud, security-as-a-service can reduce or remove the requirement to route remote office or mobile user traffic to a central location for filtering.

Ease of scalability - if a business expands or shrinks, services can be easily scaled up or down.

Automatic configuration/data back-up - configurations and data are stored in the cloud, ensuring consistent availability.

Datacentre availability and security coverage - large datacentres in the cloud can meet security and availability standards most SMEs couldn't match.

Source: Alex Hilton, managing director, Rise Partners

Read more on Data Protection Services