bluebay2014 - Fotolia
Channel partners new to the security vendor landscape will quickly realize the market isn't for the faint of heart. The vast number of products offered today can be dizzying to sort through, to say the least, and vendors sometimes don't give you the full story when pitching their technology. These conditions make developing a cybersecurity stack for your business an arduous project.
Channel partner executives who have successfully built cybersecurity practices said the key is to do your due diligence and keep your customers' needs in mind.
"The information security vendor landscape is ridiculously overcrowded," said Eric Foster, president of Cyderes, a division of security firm Fishtech Group based in Kansas City, Mo. He noted that there are around 700 to 1,000 vendors that typically attend the RSA Conference. "You could probably sit in meetings for three months with people telling you how they can help. You have to look at which of these solutions add real value to your customers, not just who wanted to meet with me or who has the most compelling presentation."
Pinning down the right security technology
When exploring the multitude of security offerings on the market, an important metric to consider is if the technology presents strong ROI for your customers, Foster said.
"I'm always a believer if you're doing right by your customer, that will really make a difference for them [and] everything else will work out," he said. "Don't look at [which vendor] has the best incentives or marketing program."
For partners new to the security vendor landscape, Foster advised first talking to your customers about their specific needs. Partners should then research security products on social media so "you can hear practitioners talk about what's actually working for them."
This is important to do because "a lot of current cybersecurity solutions are addressing problems from 20 years ago" and do not have a cloud model, he said.
"I think almost everyone selling physical appliances is … out of touch" and just trying to maximize their revenues, Foster added. "You still see a lot of [vendors] pushing an all-in-one [cybersecurity] box." Vendors will say that once it is in your data center, "it will do all these things. But the reality is every company has a huge mobile workforce, so people need to work from everywhere and that one box won't allow that."
Product usability, integration considerations
Channel partners should evaluate the security product's control panel, said John Burgess, president of Mainstream Technologies, an MSP based in Little Rock, Ark.
Some control panels are built on new technology, while others are clunky and dated in appearance. Burgess cautioned, "Is it a tool that may be at the tail end of its lifecycle that maybe [the vendor] slapped a new coat of paint on?"
Once a channel firm decides what security services it wants to include in its offerings, Burgess said partners need to do thorough research. "A lot of times, vendors are trying to grab as much real estate as they can" and will have overlapping offerings. Product integration is a big factor in his decision-making.
"If I can get these five things under one umbrella from one vendor and they're thoughtfully integrated," the vendor becomes a candidate, he said.
Like Foster, when researching the security vendor landscape, Burgess said he looks for if a vendor is mature and has a solid reputation.
"Part of that decision is, what is the nature of your engagement with that vendor from a financial standpoint?" Burgess said. "If they want you to buy a huge stack, then all the risk is on you to go and sell it once you have this huge capital investment" as opposed to the "by the drink" option.
Eric FosterPresident of Cyderes, a division of Fishtech Group
Questions to ask the security vendor
Foster homes in on questions about customer ROI when he talks to vendors. "If someone knows their product makes a difference with their customer, they'll be able to tell you [how]."
He said channel partners should ask vendors direct questions such as, how have they improved their customers' security programs, and, how does the vendor measure success in a customer deployment? "If they say, 'We know we saved them this percentage of their budget and solved this problem or [stopped] this amount of threats,'" those are tangible numbers. "That goes a long way for me and says these guys get it."
Some vendors will want to partner with an MSP but haven't yet thought much about the relationship beyond, "I'll sell you this technology at a discount and then you can deliver it to your customer," Foster added. He said an MSP will be "way more successful" with a vendor that has a demonstrably extensive and mature managed services program.
Because Mainstream Technologies has many highly regulated customers, Burgess said a big question for him is whether the vendor is audited. He also wants to see the vendor's roadmap.
Channel firms should know how a vendor's vision compares to its competitors because "that could be a tiebreaker if there's a [technology] gap and you're looking for a potential solution," Burgess said.
He reiterated that it's important to know what the vendor's expectations are for the partner's investment in the tool. "How much of that is 'by the drink' and how much is the base platform? And do I have to sell 100 customers until I break even, or is it something I can grow into?"
After a partner has identified a potential vendor partnership, Foster recommended asking for references. This can help to uncover red flags.
"I'm always going to want to talk to end customers," he said. "If [the vendor] can't set up a decent reference call for me," it serves as a warning of a hidden issue. "The discerning buyer wants to talk to customers and see what success looks like … and we're starting to see a lot of customers ask those questions because they've been burned by those solutions that don't work or give them what they need."
It's also a good idea to talk to your fellow partners, Foster and Burgess agreed. Most of the time, you won't be the only channel partner that the vendor is working with.
Everyone makes mistakes
One mistake Foster made early on was launching a cyberdefense platform on AWS Elastic Beanstalk, which he thought would be an important component of their security stack.
"While [AWS Elastic Beanstalk] is an interesting technology and makes more sense than building a data center, we found that trying to do logging at scale and solving … security telemetry at scale … became cost-prohibitive" because it was hard to predict expenses, he said.
Before Mainstream Technologies formally launched its cybersecurity services, Burgess said one of his missteps while testing the waters was to stick with legacy vendors. "We didn't look at them critically … and are in the process of having to unwind some of those relationships," he said. "The horse we had in the barn wasn't right before this evaluation process got refined."
Burgess' message to other channel partners looking to develop cybersecurity offerings: Just because you're using a vendor currently, don't assume they're the right one for security.
"It could turn into a reputational or quality-of-service issue for you," he said. "Don't continue using someone just because you know them. Loyalty is one of our core values, so it's a hard thing, but make sure you're staying with a legacy provider for the right reasons."