How to sell security solutions - part four

Not only are small to medium sized enterprises (SMEs) worried about the threat to their systems posed by hackers and insecure ecommerce, they are also concerned about the viability and value of security products. Put simply, they don't trust computers and they don't trust the technology that is meant to make them secure.

As a consequence, SMEs tend to shelve the problem. "There is a tendency for SMEs to put their heads in the sand when it comes to security issues and the potential risks to them," said Karen Campbell, channel marketing manager for e-security at solutions vendor Axent Technologies.

Paul Brettle, senior consultant at encryption and antivirus solutions provider F-Secure, said that the SME sector is probably the most difficult part of the market to address, adding that both education and cost are negative factors.

"IT knowledge in this sector is not the highest with regards to the latest threats and risks. A common pattern is for SMEs to 'wing it' and see what they can get away with," he said.

SMEs are a difficult market to sell to, so vendors tend to concentrate on larger, more security-aware companies. "A considerable amount of time and effort is expended to educate [SME] customers. This means that resellers don't have the motivation to sell to this sector. As a result, they tend to market to bigger companies," said Brettle.

But the SME market potential is massive. Recent research commissioned by Axent found that only one in seven UK companies operating online has a security policy, despite 60 per cent having suffered breaches in the past two years.

Most of those organisations are not SMEs, but most businesses in the UK have 250 staff or less. According to researcher IDC, SMEs account for over 40 per cent of the total IT spend in the UK, and their spending is expected to grow at 14 per cent a year to reach £22bn by 2002. Frost & Sullivan predicts the European internet security market, valued at $489.9m in 1999, will be worth $2.7bn in 2006.

But in spite of optimistic growth expectations, the head-in-the-sand attitude is a serious problem, insists Brettle. "Although all security vendors jump up and down about the risks, they tend to be ignored. The common view from SMEs is that 'it won't happen to me', or 'if it did go wrong, we wouldn't lose much'. This is not the attitude to have when dealing with IT security. Just because the losses might be smaller in number doesn't mean that they are not as important. SMEs have a higher risk with IT security - especially internet security - because they don't have the reserves of money that large corporates have access to," he said.

Research from Frost & Sullivan supports this. "Growth is challenged by the pressing need to educate end users about the risk and the tools available to combat security threats. A raft of business decision makers and IT administrators have limited knowledge of either, and do not consider the investment required to achieve a higher level of security particularly justifiable," said the report.

The internet and the drive towards ebusiness represent the biggest opportunities and challenges for SMEs. Many are unaware of the range of issues that they must consider with regard to going online, said Bernie Dodwell, sales and marketing manager at security distributor Allasso.

"Once they understand what impact these issues can have on their business, they need advice. In some cases it may only be education. If, for instance, it is a legal practice then they will require safeguards to be in place, such as email monitoring software, whereas a builder probably will not [need this kind of security]," he said.

It pays to be patient
Caroline Hewlett, sales and marketing director at ATL Networks, said that overcoming fear and uncertainty can only be done with reassurance and patience. "It can take time to convince an SME that security could be a problem, and once they are convinced, it can be a long, hard road to get them to believe that the security of a firewall or email screening system is worth the money," she said. "It isn't a good idea simply to sell on fear. It is better to look at the benefits of security, such as more control and higher efficiency, and to provide case histories of other SME customers."

Mark Forrest, sales and marketing director at antivirus software vendor Sophos, recommends forming a partnership with the customer and helping them to keep security threats in perspective. "Good, secure computing implementations don't just come from selecting best-of-breed solutions, but from also setting a clear and appropriate security policy. This is clearly an issue for smaller companies who do not have the resources of a larger organisation. A key part of the reseller's responsibility is to understand the issues, advise on a good security policy and ensure the technologies are implemented correctly."

In some cases a more highbrow approach may be needed, said Grant Farquhar, business manager for security products at consultancy Concentric. "Typically, SMEs are very poor at identifying their assets. But the business custodian is responsible for their security, confidentiality and availability."

By compelling them to identify the information on the system as an asset, resellers can draw attention to the responsibilities of the directors of a business.

Resellers should wrap a service package around whatever security product is provided, suggested Farquhar. "Packages should include a security audit or testing service to define the need and then deliver a solution and ongoing support in terms of information, training, re-testing and updating. Computer security counter measures should also be offered," he said.

Much can be done to reassure the SME, said Tim Hubbard, senior product marketing manager at Nortel Networks, but you may need to take a deep breath before making any guarantees. It is vital, he said, to demonstrate the value of proven, secure and private communications, and where ecommerce systems are involved, a degree of trust is required between parties.

"This is a major factor in relationship building, and in creating loyalty between customer and supplier," he said.

Offering to share the risk in some way will also reassure SMEs, he said, but this might mean offering compensation for any impact on business should security be compromised. It is a commitment few SME resellers would willingly make without real confidence in their expertise.

If you can't go that far, added Hubbard, at least try to demonstrate how the solution can cost effectively deliver the required security and privacy.

Every small business will have budget restrictions, and the investment must reflect the level of security provided. Enterprise firewall systems such as Checkpoint or Raptor for example, may cost up to £10,000 to set up and as much as £4000 per month to run.

This is, of course, unrealistic for an SME. "These types of costs will drive an SME to the wall. But with some network-based solutions, the SME pays a fixed monthly fee. I have seen figures as low as $200 per month for a firewall service. This is a cost an SME can afford," said Hubbard.

But setting up such a service is expensive and requires a high level of proficiency. ATL's Hewlett suggested that, for most SME resellers, the best way forward is to look for partners. "It is not easy to go from a standing start to being able to support and manage a firewall," she said. "It takes real expertise and there is quite a learning curve."

Helping resellers that don't have the expertise is where companies such as ATL make money: by providing the managed services for and on behalf of the reseller to its customers. The reseller is given a recurring revenue stream as customers renew their subscriptions each year.

A learning process
Managed services are becoming more popular, said Dave Ellis, head of e-security at internet software distributor Unipalm. "The service provider can manage all facets of security, ensuring that the end user doesn't have to train or hire staff to manage complex security products," he said.

This approach can work for resellers, said Hewlett, as it means they have no up-front cost, no technical staff to run, and they can continue to sell the services actively. Resellers will also be able to reassure the customer that there are adequate resources behind the service.

However, if they are to educate users, resellers need to educate themselves, according to Allasso's Dodwell. "They need to understand and explain the options. By addressing the business issues and not trying to sell technology, they can gain end users' confidence," he said.

But the general opinion seems to be that most resellers operating at the SME level lack knowledge when it comes to security. "I think it's fair to say that not all resellers have the necessary skills to understand some of the issues involved," said Ellis.

According to Douglas Hurd, who is in charge of business development for Pretty Good Privacy encryption products at Network Associates, a lack of understanding makes it difficult to sell security, but the basic knowledge can be acquired easily.

"Security is complex and the technology changes all the time. There are some basics that all users can benefit from employing: knowing how to encrypt data, changing passwords often, and not opening attachments to emails from untrustworthy sources," he said.

As ebusiness pushes security higher up the agenda, a hoard of 'cowboy' security providers are attempting to cash in, offering questionable and often inappropriate solutions. "Many so-called security [resellers] lack skills and training in security services. This is because rogue distributors have helped them to sell complex solutions without the necessary training and support. In many cases the distributors are not the 'experts' they claim to be. Moreover, many do not operate a round-the-clock helpdesk, let alone 24-hour support services," said Hurd.

Dodwell argues that security needs specialist support right down the line. "It is not a nine to five job. Network breaches, errors and even attacks can take place at any time," he said.

James Guttridge, network security consultant at reseller MIS Corporate Defence Solutions, said that while real expertise may not be a requisite to sell security, the ability to listen is essential. "You do not need to hold a huge wealth of technical knowledge, but the trick is to know when to put your hands up and say 'I don't know'," he said.

Resellers need to be patient with SMEs, to listen to the business requirements and reassure the customer. "The most important thing is to be there for them. After all, a company is [trusting] you with the entire security of their network. If they do not trust you or think you are reliable, you will not get the business. Security is all about trust," said Guttridge.

For resellers who think they have few answers to security questions, there is a strong argument for partnering with expert vendors and distributors. Even so, reseller sales staff will still need to be up to speed on security issues and options.

Hubbard said that few SME end users will be aware of security issues, as they don't have dedicated IT staff and have little time to devote to the issues. "Most resellers are in a similar boat. People who really understand security would be far too expensive to hire. And I would imagine they can make far more money working for themselves or a large consulting group," he said.

Most resellers are stuck with the option of working with partners because they are unable to recruit expert staff or to justify the cost of going through the security learning curve.

"What is likely to happen in this sector is the growth of security as a service, where the security software is sold as a service to the SMEs, so they don't have the high initial outlay, and the service offered is of high quality due to economies of scale," said F-Secure's Brettle.

But not everyone agrees. Bill Tucker, managing director of Ramp Networks Europe, does not believe that resellers offering IT security need to be real experts. "They need to be conversant in the reasons why it is important for SMEs to take some security measures, and conversant in the basics of how the security application works and is managed," he said.

Tucker believes that the financial equation can work easily for resellers. "The security features are generally a pure value-add feature for the reseller. Security for SME resellers is a huge issue in the US market. It is large here already and growing rapidly," he said.

There is clearly a great deal of potential to sell security to the SME market, but exploiting that will take a great deal of time, effort and patience.

Conclusions:

• Education is key when selling security to SMEs. Many companies still bury their heads in the sand with regards to security issues.
• The cost of selling security to SMEs can be high. Resellers need to consider partnering with expert service providers.
• Resellers need to know the issues and what options are available to SMEs before they sell security products and services.
• Security must not be over-sold to SMEs. A balance must be struck between the security provided and the costs involved.
• Selling fear doesn't work; it only makes SMEs react more negatively. SMEs need to trust their security supplier completely.