Three ways for security and compliance

Published: November 4th, 2008

There are three ways to achieve security and compliance goals, according to Jennifer Jabbusch, network security engineer and consultant with Carolina Advanced Digital: use what you have, buy stuff, or get someone else to do it.

Buying stuff, she says, should be low on the list.

That, ordinarily, would be a rather depressing statement to the channel. After all, selling stuff is what resellers do.

During her talk at the SecTor security conference in Toronto in early October, Jabbusch told her audience that making use of what you have is often the best solution. But in order to do that, she said, you need to know all of the equipment’s features and understand how to use them. And you need to know what the stuff you’re not planning to buy would do, and figure out how the existing gear can perform similar functions.

That should make channel partners smile.

Once you sell a box, you’ve, well, sold a box, often with a teeny-tiny margin that barely pays for the sales effort. But selling expertise, with its much higher margins, can go on for a long time, providing a tidy revenue stream.

It’s not easy or fun to integrate products from multiple vendors, said Jabbusch. And in any case, customers don’t know how to enable security if they don’t know what they have.

Oh, sure, they know they have a router or a switch, and they know the brand name attached, but they often don’t know the advanced feature set that many of today’s sophisticated devices conceal within their bland grey cases.

You, on the other hand, have likely had vendor training, and have had experience in wringing the most functionality out of each unit (and if you don’t, learn – it can be lucrative).

Many networks, for example, are huge, and flat, and virtually impossible to secure. People wanting to segment those networks would be tempted to buy a box to do the work.

But judicious use of VLANs on existing equipment will work just as well, no new stuff required.

Similarly, a properly configured switch can do the same work as a NAC appliance according to Jabbusch, and effective use of logging and reporting using a free tool such as Splunk can take care of a lot of management tasks.

A smart reseller can leverage his or her knowledge of the ins and outs of a customer’s equipment to provide services such as doing an inventory of the existing gear and licenses, checking out their infrastructure’s configuration (and documenting it), and gauging its effectiveness in fulfilling the customer’s goals.

Once you’ve determined how each piece of equipment fits into the grand scheme of things, you’re in an ideal position to assist the customer in setting it up to optimize the network.

Jabbusch suggests that customers use industry resources to acquire some expertise for their staff – user groups and peer industry groups, for example – but she also recommends the use of a consultant, especially one who can also do some knowledge transfer, as an objective third party. From there, it’s not a huge step to an ongoing relationship.And all without selling a bit of stuff.