No matter how much your customers have been affected by the recession, the need for security doesn’t go away – especially if those customers are laying-off employees.
But regardless of this need, they probably aren’t seeing an increase in their security budgets. The good news, though, is that those budgets aren’t being cut – so it’s up to resellers to work with what they have.
In the late ’90s and early 2000s, particularly when the dot-com bubble burst, security did go away to a great extent. “I was selling security then and trust me, it went away – it took a huge hit,” says James Quin, senior research analyst with Info-Tech Research Group. The difference between now and then is the increase in regulatory requirements. “Back then it was pretty loosey-goosey,” he says. “Reporting and accountability were pretty minimal, whereas what we’ve seen over the last few years is a definite ratcheting up of accountability requirements.”
That could be what’s keeping security afloat this time around. However, while few companies are cutting their security budgets, they certainly aren’t getting an infusion of cash either. Many are looking at ways they can maintain or increase security without spending more money – such as platforms that provide multiple levels of functionality.
And smart security vendors are recognizing this. Finjan Security, which plays in the content filtering space, released a new platform that provides both inbound content filtering and outbound data leakage protection. And NCircle is starting to bundle more management capabilities into its platform, so users don’t have to deal with as many tools to capture the same information.
Over the past year, a laundry list of security companies have been bought by other security companies – and they’re rolling all these security capabilities into one platform. Resellers are likely going to find that the best profit capability exists with vendors that have full-range solutions, says Quin. Customers are shying away from point products – no matter how effective those tools are – simply because it becomes burdensome to build out such a complicated infrastructure.
Despite this need for consolidation, we haven’t seen a lot of software-as-a-service in the security space. “You’re starting to see AV as a service – McAfee is doing something in that regard,” says Quin. “What you’re seeing a lot instead, and it’s always been there, is the true managed services component.”
DLP on hold
Whenever the economy slows down security should be a focus, particularly when employees are let go, says Mark Pilon, practice manager for security and networking with Microserv, a Quebec-based reseller that provides perimeter security, internal security and data encryption. “It would be nice if clients were spending money in the right places to protect themselves, but because of the economic struggle, they’re pulling back when they should be refocusing.”
Most customers are maintaining their current solutions, but spending more money on consulting to rethink or reconfigure the security they already have in place – and make it work to their benefit. “We haven’t seen much of a slowdown so far, but that’s old budget money, not new budget money,” he says.
Newer solutions like DLP, or data loss prevention, which Microserv was expecting to take off this year, aren’t yet seeing widespread adoption. “We’re hoping it will happen, but we’re conscious that people are tighter with their wallets this year,” says Pilon.
However, he added, the Quebec market is different than the rest of Canada, since it’s usually slower to adopt technology and takes less of a lead from the U.S.
But Canadians are also reactive, rather than proactive. “People will spend money to renew their anti-virus, which is the most reactive solution you can have,” he says, “whereas hosted IPS and solutions that would prevent the problem from occurring, or vulnerability scanning that everyone talks about but nobody does, they haven’t spent any money to have a proactive approach.”
For security reseller LCM Security, a majority of its revenue has historically come from managed services and consolidated firewalls. But the emerging revenue opportunity is with data security. “You’ve got a lot of tire-kicking going on,” says Paul King, president of LCM Security, which focuses its business on the Ottawa-Toronto corridor. “We’ll see if people are willing, during a recession, to spend money on it.”
Consolidation is King
The majority of LCM’s revenue still comes from companies that are consolidating their core security pieces and adding reporting requirements (for reasons such as compliance). “Whatever budget dollars are left, they have to fight harder for,” says King, “but we’re really not seeing people pulling away at this point.”
Even the banks are looking at consolidation. “We thought they would never think in those terms,” he says. “They always say best-of-breed but with this whole issue of trying to track down an event, you really need to start to consolidate.” More importantly, they need a single reporting engine for all these engines – and convincing customers of that is no longer an uphill battle.
King believes we’ll see more software-as-a-service (SaaS), partly because companies just can’t afford to have those skills on the payroll, but also because of compliance reasons, particularly in industries such as retail, banking and insurance.
But SaaS, along with Web 2.0, opens up a lot of security holes. And while organizations are filtering Web sites, they’re not scanning for malware on those sites because they’re viewed as non-threatening, says Graham Bushkes, Canadian country manager with unified threat management provider Fortinet. Ford, for example, had a Trojan on its Mustang Web site.
“Companies don’t understand they’ve got to be stopping viruses at the edge,” he says, adding that it’s better not to let the nasty guy with the goalie mask into your house in the first place.
But security just keeps getting more complicated. The IT department (if the company even has one) has to be trained on myriad platforms – and then manage all those platforms. Yet, if signatures are not up-to-date, the company’s security strategy will fall short. And that’s why consolidation is becoming such an attractive option.
“We have one annual support contract,” says Bushkes. “And, as budgets shrink, all they have to know is this one platform.” Customers can start with one or two features and, as time goes on, add others. “It’s a natural migration,” he says. “Partners really like it, because they don’t have to tell customers to rip everything out – they can migrate over time.” Customers can also test it out before they do the migration.
The latest version, v4.0, will be launched at the end of March, and will include an end-to-end PCI solution for retailers, including database vulnerability testing, PCI governance and data leak prevention. That market is expected to grow, since Visa is starting to hit middle-tier retailers with fines – which could have more effect than any government legislation.
For more, see the sidebar: Is security ready for Web 2.0?.
