Channel Daily News

Lack of security VARs prompts action

A shortage of security VARs coupled with an overall sluggish market is prompting vendors to uncover new and improved ways to hook resellers into the security arena.

The ever-increasing amount and advanced types of threats (including blended ones, which combine viruses, worms and hacker attacks)

along with the advent of newer technologies such as wireless and Web services highlights the need for experienced security resellers to come to the table.

The Canadian security software market, for example, in 2002 reached $131 million and is pegged to hit $173 million by 2005.

But resellers are in a difficult and confusing position, says Warren Shiau, IDC Canada software research analyst, because they’re expected to be experts in a market that is still fragmented — and is conducive to selling stand-alone software products.

“”Until vendors package together a whole bunch of functionality like the ERP market does,”” resellers will remain locked into peddling stand-alone products — and vendors will have a hard time finding security VARs experienced in more than one area.

Mirroring moves in the enterprise and system management space, “”in the security market we’re looking for VARs to provide a security platform, encompassing all areas of functionality — then the environment will be conducive for the channel to start developing expertise.””

The shift towards all-in-one functionality is mostly happening with larger players like Symantec and RSA, he adds, and will take time to trickle down to smaller vendors.

In the meantime, what are vendors doing to get VARs educated and promote broader expertise?

Pumping money into training and certification is a start, says Kevin Krempulec, Symantec Corp.’s senior district manager, channels and SMB.

A key focus for partners in Canada now is on education and certification, he says. And while he agrees there’s an overall shortage of security VARs (in part because of Canada’s vast geography), Symantec’s enhanced certification process, announced June 1, is designed to help alleviate part of the problem by attracting more VARs.

The program shortens the time it takes a partner to become certified, and reduces the number of security exams from 12 to four, he says. The exams cover Symantec’s firewall and VPN technologies, vulnerability management technologies, intrusion detection technologies, and virus protection and content filtering technologies. To achieve certification, candidates must pass at least one exam plus an authorized third-party vendor neutral security exam.

Another way to broaden VAR expertise involves enticing them to dabble in the managed security services (MSS) arena, says Allyson Seelinger, Symantec’s vice-president of North American channels.

Many companies don’t have the in-house expertise to deal with the increased risk, she says, and need to outsource. The Gartner Group says 60 per cent of enterprises will outsource monitoring of at least one perimeter security technology by 2005.

Symantec will be looking for three types of partners to sell MSS. These include managed security services partners (xSPs, hosting, telecom); managed security solutions partner s (VARs, system integrators, consultancies); and managed security reseller partners (reseller, asset management). A services partner resells MSS as a service bundled into its own offering; while solution partners and resellers both resell the MSS as a product.

The MSS pricing model in Canada is under review, Krempulec adds. “”As we roll out to the channel we have to make sure there’s no hiccups, that it’s competitively priced in the Canadian marketplace, and that we have flexible pricing.””

For SPI Dynamics, offering an enhanced channel program is another way to reel in VARs and beef up education, says president and CEO Brian Cohen.

And while this technique may seem like a no-brainer, it’s often hard to get the message out about the importance of ensuring a secure environment, and finding the right partners.

“”A smaller percentage of the resellers are competent in security than should be, given the landscape.””

IDC’s Shiau says SPI isn’t alone. Another trend is the rollout of a gamut of channel programs in a bid to spread the word.

SPI, for its part, recently launched a channel program for VARs servicing the growing market for Web application security assessment solutions. “”This program makes it easy for them to have some success in the security space in terms of doing assessments and making recommendations,”” says Cohen.

Despite slashed budgets, security needs to be considered a bright spot, he adds. “”Over the last year or 18 months the market’s been pretty slow and a lot of resellers, along with other organizations, have been scrambling, trying to figure out how they can differentiate and add value to their offerings so that they can pull themselves out of this business rut we’ve been in . . . and clearly security is a way to do that.””

It all comes down to education, he adds. “”The challenge is it requires expertise. You just can’t say, ‘I carry this product now so it makes me a security expert.’ And so they are faced with this problem.””

Compared to the U.S., Cohen says the Canadian Web application security market offers resellers more opportunity in financial services. “”In the U.S. we’ve seen it expand beyond financial services to include federal, healthcare, manufacturing, distribution — I don’t think it’s because the Canadian market is behind, it’s just there’s a lot of financial services in city centres like Quebec and Ontario.””

Cohen says VARs can make money in several ways: Doing application assessments, which are a new and important step because more than 70 per cent of attacks are at the application level; providing services to remediate the identified problems; and through education.

“”It’s important that VARs get involved now with security because it’s going to have budget authority, it’s going to be approved despite the fact the economy may stay tight for a while and it gives them an opportunity to differentiate.””

Toronto-based security reseller WhiteHat Inc. finds opportunity in the services realm, offering professional services (including security assessments, policy and privacy consulting); education (developing programs around security awareness and best practices, server hardening and counter-hacking); and offering product support, installation and training.

VARs need to ensure companies have security at the perimeter and internally, says president Alan McLaren. “”People may have firewalls and anti-virus, but that’s the end of their security and that’s the scary part.””

One of the challenges of being a reseller in this space is competing against players who promise grandiose services, but who aren’t up to snuff, he says. “”Everybody is selling security or talking about security — the reality is what happens under the covers — where does the rubber hit the road? So when I see security, I often ask, ‘What is their core business . . . and is security rooted in your culture?’

“”There are bits and pieces of excellence in our country, but there are a lot of people that tell you they sell everything but don’t get underneath it at all.””