Vendors: Resist Pushing Partners Into Security
Solution providers that jump into a market where they have limited expertise can do more harm than good.
By Larry Walsh
Security threats are pervasive and prodigious. Security software vendors are tracking as many as 85,000 new malware threats daily. In 2015, security researchers discovered more than 30 million unique new malware samples in the wild. And tens of millions of data records and user accounts are compromised annually.
No business is immune, as hacks affect companies of all sizes, from Yahoo (500 million compromised accounts in 2016) to Main Street small businesses. The need for security is high, and security spending is growing at nearly triple the rate of the general IT market. By 2020, total security spending will top $75 billion – and it still won’t be enough to stanch the breaches.
Complicating the security equation is a severe security talent shortage. Security unemployment is absolute zero. Security job requisitions are nearly equal to the total unemployment rate in the United States. The shortage is so bad that even bad infosec professionals have job security.
So it seems reasonable for vendors to encourage partners to jump at the expanding security opportunity. And many are doing just that, particularly smaller resellers and managed service providers (MSPs).
My advice: don’t.
Security isn’t a product you just sell. If you misconfigure a server, a customer may temporarily lose access to files. If you misconfigure or poorly deploy a router, you may have unstable connectivity. If you don’t do security right, you could lose everything.
A couple of years ago, The 2112 Group worked with an innovative security start-up that wanted to provide MSPs with a rather valuable security offering. The vendor would provide all the intelligence and direction partners needed to secure their customers and respond to threats. The model should’ve been exceedingly beneficial to downstream customers and, consequently, profitable to partners.
There was just one problem: Deploying the company’s solution required partners to have more than rudimentary security knowledge and skills, and it required them to do more than just issue alerts.
Security isn’t easy, and it’s not for the faint of heart. The average security professional spends years training and honing their skills to understand the underlying codes, the threats facing infrastructure and applications, the attack vectors, the response measures, the strategies for mitigating risk, and the ins and outs of policy management.
Effective security is dependent on the balanced execution of the four Ps:
1. Policy: the requirements, operating parameters, and objectives of a security strategy and program
2. Process: the workflow for executing and managing security policies
3. People: the training and enablement of all IT users in an organization
4. Product: the acquisition, deployment, and management of security technologies
And because of underqualified security resellers and misguided end users, we’ve added a fifth P to the list: prayer. No one security product will solve the risk exposure challenge. Those who don’t know how to build and manage appropriate security systems will need to rely on that fifth P. They’ll need to pray not that their inept systems and support will prevent a breach, but rather that their business will survive when the inevitable breach happens. And breaches will always happen.
Encouraging partners to adopt security and develop security practices isn’t a bad thing, but only in measured tones. Security needs more professionals, and services are the only way to scale the limited resources. But entering the security market requires investment that won’t produce a return immediately; it’ll take time to develop the resources and intellectual capital to provide the value the market needs.
Some security proponents may say partners can enter the security market by hiring the professionals they need to get started. Perhaps that’s true, but, as noted above, competition for those scarce resources is stiff. Security professionals can name their price for salaries and incentives, and that often places regional and local partners out of the running when competing with national organizations with deeper pockets and higher career ladders.
Generalists can participate by acting as scouts for security vendors and professionals. Identifying customers with security needs and referring those end users to professional organizations represents a viable and valuable service opportunity. The generalists gain the benefit of revenue while satisfying customer needs. The security professionals gain business. And the customer gets better protection.
Undoubtedly, the market needs more security professionals who can implement effective risk mitigation systems and services. But vendors should resist pressing neophytes into security, as inept implementation can do more harm than good.