Sergey Nivens - Fotolia

Selling security: Focus on services

MicroScope gathered together a group of vendor representatives to discuss future channel opportunities in managed security services

Customers of all shapes and sizes are starting on their digital transformation journeys. Those changes, accompanied by growth in the internet of things (IoT) and mobility, provide plenty of areas where security is going to be a big issue. This might just be the moment for the channel to help customers take stock and get on top of their environments.

In the second part of our security roundtable we pick up on those themes and ask the panel for their opinions on how some of the changes in the market are affecting technology.

Roundtable attendees

  • Jonathan Whitely, area sales director for Northern Europe, WatchGuard Technologies
  • Jonathan Bartholomew, UK&I channel director, Sophos
  • Damian Saunders, vice-president Europe, Black Duck Software
  • Chris Dickson, executive client partner, EMEA channels, Verizon
  • Jonathan Mepsted, managing director UK, Netskope
  • Nick Gibson, business unit executive, channel success, security unit, IBM Europe IoT
  • David Park, director UK&I, Fortinet
  • Neil Harvey, vice-president of sales, EMEA, Tripwire
  • Adam Nash, EMEA sales manager, Webroot
  • Mark Hitchins, channel SE team leader, Check Point
  • Ian Porter, head of security engineering for Northern Europe, Check Point
  • Aftab Afzal, senior vice-president and general manager, EMEA, NSfocus

How much do cloud and mobile affect business, and is IoT going to be another huge wave – and is that an opportunity to get a coherent view of the security products we need?

JONATHAN WHITELY: It is already happening. If you look at the way people look at network security, things landing on the desktop were fairly separate, but businesses can’t do that any more. The idea of where the perimeter starts and finishes has become blurred. As an organisation, you have employees with their devices, which they probably own themselves, so how much can you control those? Laptops you provide you can control.

But they both access the corporate network to a certain degree. That blurring of where the network begins and ends is just going to increase with IoT.

ADAM NASH: The cloud, in the main, is still using exactly the same operating systems as traditional business systems, so it should not be that different. The network infrastructure is better secured because it is run by a large operator.

MARK HITCHINS: The challenges are that in the traditional datacentre world you have firewall sandwiches – you are splitting that network up in there and you can actually trace a cable and figure out what goes where. In the cloud, you have that first layer, but underneath that are so many stacks of different virtual machines – are they able to talk to each other and is there segregation? No cables, the ability move around and spin up new resources – it is challenging to keep control of that. Who is spinning up a new machine? Is it a human or is it the resource behind that spinning machines and then controlling it and allowing a policy to follow it?

JONATHAN MEPSTED: The biggest challenge is that we are in a hybrid world where apps, data and storage reside on both the network and in the cloud, with public cloud SaaS [software as a service] being the most difficult to manage. The main issue is that both large and small organisations have no visibility into what cloud systems they’re using. Associating that back to risk is a big challenge. This leads to a discussion about what distinguishes a best-of-breed solution, where a move is necessary from point products to a more holistic approach, and who has the technology that answers the need. The shift towards cloud solutions represents a sea change in the approach to technology purchases.

“The biggest challenge is that we are in a hybrid world where apps, data and storage reside on both the network and in the cloud”
Jonathan Mepsted, Netskope

CHRIS DICKSON: The extension of the traditional perimeter, of what someone’s business is, has gone. You have AWS [Amazon Web Services] and Azure, etc. You have broken a traditional boundary that didn’t exist as you have extended the perimeter.

The agility and speed that is offered means the security field will expand because cloud is driving business. You will see the perimeter continue to expand. The increase in device usage is just a different expansion of that perimeter.

JM: There has been an uptake of late of large companies buying cloud security companies. Oracle just bought Palerra, Cisco bought Cloudlock, Symantec bought Blue Coat, Microsoft bought Adallom – the list goes on. They are all hoping the platform model could work.

CD: But that’s the Oracle platform – come to Oracle and everything will be good because they can encircle and encompass the entire environment. They might connect to another, but I think hybrid cloud, because the reality is that SaaS people are using different SaaS services from different cloud providers, so it is never going to be pure. Vanilla doesn’t exist. It is vanilla, chocolate sprinkles and raspberry swirls, with Oreo cookies thrown in there for extra sweetness. That’s just going to become the norm, which I think is part of the opportunity for this market because the chaos is going to continue.

Compliance still seems to be one of the main things customers are worried about. What are your thoughts on that?

AN: The fines for failing regularity compliance have got a lot bigger so people are being more responsible.

AFTAB AFZAL: I always say that regulatory compliance is the enforcement of best practices.

JW: But it is something you don’t have a choice on. Everything else you can take a vow on, but with compliance you don’t have a choice. If you handle card payments, then its PCI or nothing. Europe is becoming more regulated.

CD: It is a growth industry and it will continue to drive things. It is going to drive more of a managed service play because the average company has no idea how to read the regulations and how it will impact them. This outsourcing of liability is becoming a little bit more of a norm.

JW: You can’t outsource liability, but you are getting insurance against risk.

CD: We have an offering that is effectively an insurance policy. If you get hacked, we will come in and do a deconstruction and understand what the hack was and give you all the information.

Some people think they don’t need to put anything in and they can just buy the insurance, and if they get caught they can handle all the objections. It is an interesting dynamic because the prevention is actually more expensive than the insurance.

JW: The damage to brand reputation is the thing that is going to be a real concern.

JONATHAN BARTHOLOMEW: There is also additional cost.

Look at ransomware, for example. If you want to put an insurance policy in place focused on ransomware, and say “If you do have ransomware we will come in and clean it all up for you”, there is a cost involved with that and it seems to be ever increasing the more people you speak to. Unless you have an anti-ransomware product, which can stop the ransomware encrypting those files and can roll it back, then you have got to do the backup.

JW: A lot of ransomware has cottoned onto the idea that it is just unencrypted data. It is that, but it is also about the data. If it is worth something to you, it is worth something to someone else.

So once it is off your network, you’ve got to figure out whether to pay the bitcoins, but there are no guarantees.

MH: It used to be very expensive and you couldn’t afford it, but now they look at geolocation and work out if you can afford [the ransom]. There are different prices for how much it costs to encrypt your disk depending on where you live and what you can afford to pay.

“There are different prices for how much it costs to encrypt your disk depending on where you live and what you can afford to pay”
Mark Hitchins, Check Point

DevOps seems to be a concern for many users. Is that something you are seeing on the ground?

IP: Everything is moving to the cloud, and that is sitting in AWS or Azure or wherever behind a packet filter and security has not really been thought about because that is old hat stuff and people can’t do all their sexy DevOps stuff if I have to ask someone to do a firewall change for me. But there is a massive sea change at the moment where the security teams are having to embrace that and customers want to consume security services that can do automation and work into these workflows and do application delivery and scaling and it will become increasingly important. It is driven by the scale of private, public and hybrid cloud.

DAMIAN SAUNDERS: It is a classic application security issue as well. DevOps addresses the tradition that you can do something well or you can do something fast, but you can’t do both.

The dream of the developer is to do both things, but you can’t do things quickly at the cost of your obligation from a security point of view. So how do you achieve that goal without compromising on the integrity of the application?

We have talked a lot about prevention, but not so much about the reaction. The TalkTalk example is a good one, not so much because it had a vulnerability and it was exploited, but because when it happened TalkTalk didn’t really react to it in the right way. It had confidence in what it had built so security was assumed, whereas vulnerability should be assumed so when an exploitation takes place you have the right response plan.

Customers seem to be struggling to deal with the wide range of technologies out there, so is there an opportunity for a managed services provider to come in and provide some clarity?

CD: Isn’t it a case that people think they know what they want but they end up buying something entirely different because they thought they wanted to improve their firewalls? We see a lot of business where we take on a customer and find their infrastructure is not entirely fit for purpose. You end up changing it out not because you want to but because they have this infrastructure that does not even fit what they thought they were buying.

JB: Do they really understand the technology, or do they get sold to?

MG: There is probably a different way of delivering what they need, so it could be a managed service or something traditional.

AA: Technical people are normally better than the sales people. The sales people will [meet with the customer] and come back and say ‘Can I have this?’ We will ask why, and they tell us the customer wants it – but they didn’t ask them why and what they were trying to achieve or what the business drivers were. We go back and have the conversation to try to understand what they were trying to achieve because there could be more products that are more suitable.

DS: There is a great quote from Henry Ford. He said that if he’d asked the customer what they wanted he would have built them a faster horse. So we all know what it feels like. I think the reason the sales cycle starts with a sales presentation is that because customers know that by meeting vendors they might learn something they didn’t already know. So it encourages them to challenge their assumptions. Most of them find it like a road to Damascus, and that is a healthy thing because it is a market that moves pretty quickly and we are all specialists in our respective fields and we can come in and challenge their point of view and get them to see the problem from a slightly different perspective.

JB: That is where a good channel partner can come into play. One that understands the market and understands the technologies and can pinpoint the problem they really want to solve.

DAVID PARK: It also goes back to the customer’s perception of what the vendor actually does. It is important in the sales cycle that you do get across the other aspects and capabilities of your technology solution, and the benefits of a seamless security infrastructure, for example.

CD: The biggest problem is that most people enter a security discussion thinking they know what they need based on the fact that they have gone to a website and they have been entirely misdirected into a particular solution. There are less and less direct sales people that are going out there and informing people, so the digital assets have got to get a lot smarter around what people do.

AA: This is not a market of uninformed buyers. When you are buying at home you do a lot of research and you go into the showroom thinking you know what features you want and you have a perception of what you need. Business customers are doing the same, and are going into the boardroom with a long list. Sometimes they even have your price list, and they have talked about what they think they can afford, rather than talking to you about what they need to protect. It is a real challenge to get them to take an holistic approach and see what coverage they need, and talk about price later, because they already have their preconceived ideas.

Are your channel partners in the right place?

NEIL HARVEY: When we said earlier that the MSPs [managed service providers] will be the ones to bring it all together and deliver the complete solution, I think we are a long way from that today. I think the VARs today in the security world don’t always understand the technologies and they are going out with a bag of stuff. The VARs are not as well informed about the real valueadded products they could take to market.

VARs in the security world don’t always understand the technologies. They are not as well informed about the real value-added products they could take to market
Neil Harvey, Tripwire

DP: I would disagree with that slightly. I think there are a number of VARs out there which have skilled up, invested and are consultants for their customers. These VARs can go to their customers with a proposition to look at the infrastructure, look at where the risks are and come back with a solution to plug the gaps. You will get the VAR that phones up and says “Do you want to buy a firewall?” And you will get the VAR that phones up and asks “What keeps you awake at night and how can I help you?” AA: They may not know the technology, but they know the client.

They work on trusted relationships. They will come back and go to the vendor or the distributor and they can be the gatekeeper to that relationship and they can be the consultants.

DP: There is a huge skills gap out there. That’s partly why people are outsourcing because it consolidates those skills to a point. Over the past couple of years we have completely overhauled our partner programme to ensure there are technical certifications that mean people have the skills and capabilities to go and have that conversation. They can go and design and deploy the technology.

The next challenge for the VARs though is that they have a limited skills base, so who do they invest in with a multi-vendor strategy. Who do they invest in to have those skills? If they invest in all the best of breed, they have to do it multiple times. Or they look to a platform, which is more cost-effective. 

NH: We are doing the same as well because I recognise there is a weakness in the channel.

DS: If you are the managing director of a security VAR, what keeps you awake at night is differentiation. So the danger is the mainstream, because if I sell the same as everybody else it is on price and a race to the bottom, so they need to be able to surround the portfolio with something that is unique to them, like emerging technologies or specialisms in cyber security. They will be able to get more margin because they have the knowledge and the quality and that’s what most people will consider to be the ‘V’ in VAR, and that’s what they will pay for.

If you are a security chief in a big company you might have the urgency, the budget and the mandate from the business to do something quickly, but you don’t necessarily have the bodies lying around at hand that you can marshal around the implementation of the new products. As vendors, we wouldn’t necessarily have that either, because the integration of our technology requires a broader set of skills that a consultant would have. So that brings us back full circle to this idea of managed services for security. In that instance, it really is the way forward.

In conclusion, do you think that with this move to managed security services your channel is in the right place?

DS: I think it’s a time for some close self-inspection in the way that, as vendors, we package and learn to make money in a slightly different way and break some of the traditional models in the ways we charge for the product. We need to follow that notion that a smart vendor, at all times, tries to make themselves easy to do business with. If you take our traditional licence models and apply those to a channel that is trying to offer managed services, then you are making yourself hard to do business with. So we need to find a way to make sure our products and services can be exported through a partner as a managed service out to the customer.

CD: My business is embryonic from a partner perspective and the channel, and we are starting from the ground up in EMEA. But what we have built is channel first and that extends to everything we do.

Most people enter a security discussion thinking they know what they need
Chris Dickson, Verizon

I think white label managed services is a play that will come up and is something we are seeing. It is a very big focus for us to ensure that the portfolio we provide as a vendor is fit for purpose.

NICK GIBSON: We have got some very large systems integrator partners that cover the whole market, and then we have a lot of smaller localised MSPs in specific countries and markets. Some of the VARs might be legacy partners, but they see the demand in security and they try to get into that space, yet they have challenges in terms of their expertise. So they either go and buy that expertise or buy a company to be a security division at that large partner. So our channel covers the entire spectrum.

NH: We are just going through revamping our route to market in terms of MSPs so it is something we very much have our eye on. I expect to see changes in our organisation about how we address that market. My biggest concern is about who’s out there that we can actually take that to and who can effectively deliver that. We are talking about the maturity of the channel to try to deliver managed services. I think there is still a lot of work to be done, not just by the vendors, but by the channel as well.

MP: It is very important from a technical point of view that products are built with multi-tenancy from the ground up and not as an afterthought that is bolted on afterwards. That is something we have always done. The commercial model needs to make sense to go along with that. Vendors do need to be aware that managed service pricing isn’t the same as traditional product procurement and they need to have flexible commercial models around that so MSPs are able to build the infrastructure that is scalable and secure and makes sense.

MH: It is important that the package is right and the products and solutions are understood and packaged correctly. The value can be given and the licensing models are made simple so it is understood and can be delivered so it is not a complicated thing to do. We already have a top tier that are providing MSP services for us and it is about making that accessible to further down that partner chain.

AN: About 80% of our business is MSP and 20% is traditional reseller. It is a huge focus and it is an SME up to mid-enterprise play. We are trying to make ourselves easy to do business with, with flexible pay and utility business. We are there, but it is always about listening to the market and making it better.

JM: We are absolutely convinced that MSSP [managed security service provider] is the right model for us. We are responding to the zeitgeist that is cloud, and we are a cloud security product.

We then need to have an architectural fit for the drive towards mobility. Regulatory compliance concerns are also massive. We know that once our solution does become embedded, its range of capabilities is broad. We need these skill sets.

AA: We are already working with MSPs. It has been an interesting challenge for us to move from multi-tenant back down to enterprise. The challenge you have from organisations is a lot of them go from enterprise to multi-tenant which is harder because you have to have to make it more granular and have friendlier controls.

We already have all of those, but we are moving back down to the enterprise. At my last company we had a challenge because we had a product that could be multi-tenant, but we were scared of cannibalising our own revenue streams. When we started to do that the sales people internally were getting damaged and they didn’t want to sell to MSPs because they would out-price it and they were damaging the channel. It is a real challenge to get it right. This company has got it right, but it is about balance.

JB: We absolutely see a shift across our channel towards partners offering managed services, and no longer being restricted to the sub-100 space but serving the mid-market and the enterprise.

Sophos has always operated in the SME space, and has always had a managed services offering and understanding of what this needs to look like. Over the past five years, Sophos has worked closely with all of its partners to better understand what customers need from the partner community and what they need from Sophos to build and maintain a profitable easy-to-support managed service. The Sophos central dashboard enables partners to centrally manage multiple technologies, including next-generation endpoint, anti-ransomware, UTM [unified threat management] and MDM [mobile device management], across all of their customers, having full visibility of what is happing at any point in time on their customers’ networks. Partners can use this information to centrally implement changes required to offer better protection. Sophos central can integrate with existing RMM [remote monitoring and management] tools and billing engines to further enhance the partner user experience.

JW: We have had an MSSP programme for a long time. There are so many different types of MSSP, so trying to get a single programme to fit everyone is really difficult. For us, the success has to be in being able to split out a very good commercial delivery platform, whether that be flexible billing that fits in not only how the VAR works but also how the customer works as well.

Also, depending on the size of the hardware you are looking at, buying it is taking the flexibility of budgets. These are all things we are looking at as we try to make it as flexible as possible.

The key to a MSSP solution has to be the management of the devices and so you have to provide the tools so that the customer can see the reporting and it is flexible enough for an MSSP to truly be able to offer a service that they would not be able to get off the shelf from somebody else.

DP: We recognised some time ago that MSSP is the channel of the future. We have a dedicated programme and have historically worked with traditional MSSPs that have always been in the security market, and we are also helping VARs that are moving into that area to adopt those types of services. The key to our approach to it is the ability for them to be able to spin up new services on top of what they have traditionally been doing. We will continue to invest in that.


Read more on Threat Management Solutions and Services