Service provider takeaway: Service providers learn how the antivirus market has evolved and how selling antivirus
services can create business opportunities.
If you ask most consumers and small business personnel what they know about security, they'll talk about antivirus software. After all, antivirus is part of the standard PC build and almost universally deployed. I know Microsoft said 50% of the market wasn't using antivirus when it launched Forefront, but I guess I only deal with the 50% that has deployed antivirus. Everyone I know seems to have it. So what does that mean for security value-added resellers (VARs) and solution providers?
Looking at the market for antivirus services through the prism of the security channel, there are a couple of observations to be made:
- Don't ignore the power of inertia: A vast majority of antivirus service renewals just happen. Of course, it's not as easy as that. You actually do need to generate a quote and collect the money, but most customers just write the check because they think they should. I doubt many VARs tell them any different.
- There is very little loyalty: A customer isn't going to be up in arms if you suggest they go from Symantec to McAfee. Customers don't really care which antivirus product they are using as long as they think they are "protected."
- It's never just antivirus: The antivirus players do a lot more than just antivirus nowadays and they want you to sell more than that. They are happy with the renewals each year, but they also want you to start moving their perimeter, data leakage or application security offerings.
The antivirus market is brutally competitive. Differentiation is a myth and nobody even bothers doing comparative tests among the products anymore. All of the suites do a decent job of protecting what needs to be protected, but competition can be either friend or foe to the antivirus services reseller. You know competing resellers are approaching your customers to displace you, with offerings that are pretty much as good as yours. Of course, you can head that challenge off by keeping a few antivirus suites in your bag and renewing the one that makes the most economic sense for your customer.
But now it comes time to face the most significant fact -- decreasing margins. This is a mature business and in mature businesses, there is less margin to go around, which will inevitably lead you down the path of considering resource allocation. Antivirus is like plumbing. It's not exciting, but everyone expects to have running water. Some plumbers are rich and others struggle. Should you still focus on running water when there are fancy new tankless water heaters to sell?
The short answer is yes -- it's still a good business. Basically, the endpoint security suites of today are not your grandfather's antivirus. There is a lot more in the suite now, including new technologies like endpoint application control and desktop data encryption. These bundles allow you to maintain margins, even in the face of commodity competition on the antivirus front. If you are open to extending your line card, a number of antivirus vendors from outside the U.S. are aggressively courting resellers around the world by throwing attractive margins and other incentives your way.
Now that you're staying committed to the endpoint security business, how do you prosper? I wish I had some magic bullet for prosperity, but it's still about doing the right thing for the customer. If they have mobile devices that hold private customer data or proprietary intellectual property, then those devices need to be encrypted. It's your duty to convince the customers they need a bundled solution, which also happens to represent an up-sell for you.
You should also look for leverage with other security operations, which will present an opportunity to deepen your relationship with the customer. Even if the endpoint offering doesn't provide golden margins, it's still an economic transaction with the customer and allows you to find other opportunities to add value.
For example, does it make sense to build a common security management environment for all device operations and some network security functions? Does the customer's organization chart lend itself to that kind of offering? What about other emerging opportunities like database or application security? You lose all of the opportunities you don't know about.
Of course, this recommendation makes a pretty big assumption about your expertise and place in the buying process. Endpoint security is a mature business and it's not overly complicated to implement and support. If you specialize in early technologies, antivirus services are probably not a good fit anymore.
Be true to your place in the value chain, and the answers about what to focus on tend to appear. Endpoint security is still the cash cow, but you'll continue to be better off by using it to find other opportunities to bring value to your customers.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.