Service provider takeaway: VARs and service providers learn how to do business in a security monoculture.
Five years ago, Dan Geer (and a number of other security industry luminaries) wrote Cyber Insecurity, an opinion paper that discussed the long-term impact of a company controlling 90% or more of the operating system market. That company was Microsoft, and the danger was termed "monoculture."
The really smart security folks thought that Microsoft and its monoculture was dangerous -- but does this monopoly differ from that of other dominant players, like Cisco in the networking space or EMC on the storage front? What are the risks of this type of dominance? And what does the monoculture mean for value-added resellers (VARs), who are increasingly under pressure to increase sales volumes with a certain set of manufacturers so that they can be rewarded with higher margins and more perks?
Ultimately, the way to think about this is not from the VAR's perspective but from the customer's perspective. Is this dominance and channel/distribution leverage good for the customer? That's really the important question. As we all know, if the customer is unhappy, or their business is exposed or less secure, then everyone loses.
Big is the new small
Back in 2006, I coined the idea of "big is the new small" to describe the ongoing trend of larger security manufacturers building broader product lines
But VARs provide some of that function of "one throat to choke" -- a single point of contact so the customer doesn't have to go chasing multiple vendors to solve a problem. Isn't the VAR supposed to act in the best interests of the client and bring forth solutions that meet the customer's problems, regardless of manufacturer?
The manufacturers are offering some attractive benefits for higher degrees of loyalty, and the economics for "exclusivity" are compelling. Companies like Cisco, EMC/RSA, Juniper, SonicWALL, even Blue Coat and Websense are pushing their partners to drive more and more volume. They keep expanding their product lines to provide more offerings to partners, and in return, they expect a bigger share of your customers' wallets. Of course, they don't (and can't) demand exclusivity, but it's clear that more volume is better, and VARs are continually challenged to defend why they are doing business with the competition.
So what is a VAR to do? Basically, rely on the advice that allowed you to build your business in the first place. Do the right thing for the customer.
Focus on the customer
The reality is that each of these big aggregators has some products that are good and some that are not so good. Using the good products is a no-brainer. Using the not-so-good products can be counterproductive and cost you money. The customer will be unhappy. Your support costs will be higher, and you'll spend time cleaning up the mess instead of selling more strategic solutions.
Given the pressure most VARs are under to increase volumes, picking a best-of-breed offering can force you to defend your position to the manufacturer. But that's not a big deal. It's easier to diffuse a pissed off vendor sales rep than a pissed off customer.
The only exception I can see to selecting the best product is when integrated management is paramount -- if you are supporting the equipment as part of a managed service, for example. Then the customer won't care about specific products, as long as it works. And there can be great efficiency gains on your end by using a common management hierarchy.
But don't sacrifice your customer relationships to the altar of higher manufacturer margins or short-term incentives and contests. That short-term thinking will stunt your long-term opportunity and drive up your short-term costs, which is a killer combination -- and not in a good way.
So use the monoculture to your advantage on your terms. As long as you are in control and focusing on the customer, "big is the new small" is a trend you can take to the bank.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Read his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.
This was first published in May 2008