How to sell endpoint security; and how to make a living at it

Selling endpoint security doesn't come with many service opportunities, but VARs and analysts say it can still be very profitable.

Endpoint security products and services should be the easiest thing in the world to sell.

One recent audit found endpoint security vulnerabilities in every organization it looked at. Another study predicts the endpoint security market will more than double from 2007 to 2008. And there's a constant stream of news about companies and agencies losing sensitive information.

Clearly, selling endpoint security presents a major opportunity for value-added resellers (VARs), but they need to be as skilled with policy development as they are with technology to be successful.

"It's not always easy to educate customers on the threat levels out there," said Al Maslowski-Yerges, project and security manager for Novacoast, a Symantec VAR based in Santa Barbara, Calif. "It takes a lot of time, and it's pretty heavy technically."

Selling points

Endpoint security looks to address growing concerns over data breaches by controlling who can enter the network and, more importantly, what can leave it.

Most of Novacoast's endpoint security sales

 There are a lot of layers you have to put in place to secure the data, which is ultimately what we're trying to do.
Mike Rothman
PresidentSecurity Incite

result from being proactive -- going to customers and telling them why they need it, Maslowski-Yerges said. Many customers have the feeling that a crippling data leak won't happen to them, so Novacoast performs on-site security assessments to show how easily information can leak from their endpoints.

When asked if those demonstrations open up customers' eyes, Maslowski-Yerges simply replied, "Oh yeah."

If that doesn't work, another selling point can be the opportunity to make endpoint security part of a full, policy-oriented security solution, said analyst Michael Rothman, president of Atlanta-based Security Incite.

"You've already got the customers," he said. "What you can do is up-sell to them."

Businesses and organizations no longer want separate agents for antivirus software, firewall and other traditional security features, so selling endpoint security gives VARs the chance to put them all together in one easier-to-manage console. Even customers who do not realize the need to protect their endpoints will understand the benefits -- in cost and ease of use -- of integrating their security, Rothman said.

"That's always a very powerful value proposition," he said.

Rothman also suggested that work can be the starting point for VARs to develop more innovative, "higher-level" security products for their customers.

"There are a lot of layers you have to put in place to secure the data, which is ultimately what we're trying to do," he said.

Customer demand

Earlier this year, security vendor Promisec audited 30 organizations with 500 to 15,000 users and found endpoint risks at every single one. At one business, more than half of its endpoints had unauthorized USB devices plugged into them -- an easy way to take sensitive information out of the protected network, either accidentally or maliciously. At another business, nearly a quarter of employees were on file-sharing networks, which can introduce viruses and other threats to corporate networks.

And a Gartner Research report issued in December said that, although "the move to converged endpoint suites will be a long road," the enterprise adoption rate for endpoint security will increase from 15% to 35% by the end of 2008.

Maslowski-Yerges said he expects to see Novacoast's endpoint security business grow within the next six to nine months. Most demand now is coming from customers in highly regulated industries, including retail, banking, healthcare, education and government.

"It's still very much emerging," Maslowski-Yerges said. "Right now it's been a fairly small part of what we're doing."

SoftChoice, a Toronto-based VAR, is also preparing for increased demand for endpoint security.

"[Customers are] hearing about it, and they're asking questions," said Tema Mueller, director of marketing for security, storage and software solutions. "It's something that we've been doing additional training on."

But Brad Reed, vice president of Internet security for

More endpoint security news for resellers
Audit finds endpoint security threats in every end-user company

Data theft creates a rich product, services market for VARs

Miami-based VAR Compuquip Technologies, said most of his customers already have some basic endpoint security product in place. Compuquip, a Check Point Software partner, is now selling more advanced features like file encryption (to protect data even if it does go missing), USB authentication (to prevent unauthorized copying of data) and smart card technology (to prevent unauthorized access to data), Reed said.

One challenge in selling endpoint security can be funding on the customer's end. Maslowski-Yerges said only about 5-10% of potential customers that Novacoast has talked to have the money available to buy a full endpoint security solution. Another 20-30% have some money available and need to prioritize -- which features they need immediately and which can wait.

"We end up doing a lot of pre-sales effort to help them understand," Maslowski-Yerges said.

What's out there?

As predicted by Gartner, endpoint security suites are becoming more common in the market. Many large vendors now offer products that integrate intrusion detection systems and network access control (NAC), but -- good news for the channel -- no out-of-the-box suite is fully integrated to protect against every endpoint threat.

Novacoast primarily sells Sygate Endpoint Protection, which is now part of Symantec's new Endpoint Protection 11.0. The product's features include antivirus, firewall, network intrusion prevention and an optional host-based intrusion prevention system.

"Nothing [else] has really stood out as a must-have solution," Maslowski-Yerges said.

SoftChoice is also a Symantec partner but works with McAfee, Trend Micro, Sophos, Websense and other vendors as well, Mueller said. Symantec is "really pushing" Endpoint Protection 11.0 and offering additional training to help partners make more sales, she said.

Emerging vendors are also looking to capitalize on the endpoint security trend. Cyberoam sells a NAC-like unified threat management (UTM) appliance that can restrict the flow of information out of corporate networks. VARs have the opportunity to integrate additional features, like software that can inspect outgoing content for protected information and prohibit the copying of sensitive data to portable drives or media, Vice President Joshua Block said.

Regardless of which products VARs choose to sell, they should make sure to partner with vendors who will support their sales cycles and help get them engaged with customers early on in the process, Block said. And he had this message for VARs who are thinking about getting into the endpoint security market: If you decide to, you need to make a dedicated effort and get all the proper certifications.

"That's missing from so many partners out there," he said.

Services opportunities

Other than selling products, the biggest channel opportunity in endpoint security is helping customers align policy with technology.

Most customers will have some government and/or industry regulations that spell out how they must protect their sensitive data. Those that don't -- and even many who do, if they want an extra layer of protection -- will need to have internal policies in place that say who can access what information and what they can do with it. VARs should help those customers come up with those policies and make sure they are enforceable through the technology they are selling.

"I really see that as a positive of the endpoint security discussion," Maslowski-Yerges said. "It brings the whole discussion back towards the nuances of what makes good security."

Through its years of working with customers, Compuquip has developed templates of best-practices policies for customers in different industries. Those documents can help save time, making both VARs and their customers happy, Reed said. The key, he added, is to make sure to keep the policies updated as government and industry regulations change.

But sales and integration are where the big money is, and "there's not a huge opportunity for services on top of that," Rothman said.

The major integration work includes making sure that the product works both locally and remotely, and that it fits with the customer's existing logging and alerting systems, Maslowski-Yerges said.

Still, despite the lack of much post-sale and post-deployment services work, endpoint security is a market worth getting into, according to VARs and experts. Vendors are willing to give "significantly" higher margins as they try to get their new products a stronghold in the market, Rothman said.

"It's very profitable," Reed said. "On the services side, it's not as extensive an amount of services as we would like it to be. But on the product side, the vendors have processes in place for us to be able to do very well financially."

Let us know what you think about this story; email: Colin Steele, features writer.

Dig Deeper on MSPs and cybersecurity