Problem solve Get help with specific problems with your technologies, process and projects.

How to take advantage of the SMB opportunity

Selling security software and hardware to enterprise customers can be difficult, but selling to SMBs can be equally challenging in different ways. Learn the best practices for selling security to SMB clients.

Selling security software and hardware to enterprise customers can be difficult, given their sheer size and the need for buy-in from multiple departments. But enterprise customers can write seven-figure checks, so you don't have to kill a lot of those elephants to be a hero in your shop. After all, it's just as easy to sell a million-dollar deal as it is a $10,000 deal, but the margin is a lot better, right? Or wrong? Is it better, given the emerging security market dynamics, to focus on selling smaller products to many small and medium-sized businesses (SMBs) -- or does it still make sense to focus on young enterprise markets with lots of margin and high-ticket items?

If you do a bottom-up analysis, clearly there's something to be said about the size of the SMB market. There are around 26 million small and medium-sized businesses in the U.S. alone. You don't have to get much market share, even in your own region, to put up some big numbers.

Before you walk away from those big NAC and DLP deals (which you've been working on for nine months already with another six months to go -- if you're lucky), there are some things you need to know about playing in the SMB market. And quite a few of them will require you to rethink the way you do business.

Go-to-market is different

In many cases, vendors will bring you large enterprise deals that they are already working on because they need local support. When you target an SMB customer, you aren't going to get much of anything from the vendors. You may get a lead, but they could be tire kickers or someone just looking for a T-shirt at the local ISSA meeting. There is a lot of brute-force qualification work that needs to be done in the SMB market.

Lead generation is different

You can afford to wine and dine your enterprise customers because they will (hopefully) buy a lot of stuff from you throughout the year. You work with them constantly, you know what projects are in the budget, you know where they need a bit of staff augmentation or other services work, and you are the go-to service provider when they are ready to buy.

In the SMB market, not so much. You are dealing with customers that have a short attention span because they are typically responsible for all of IT, not just security. You've got to get to these guys where they hang out, and it's usually not at a security show. Instead, look for them at Microsoft or Cisco or events. You also need a marketing model using a lot of online and offline tactics (email, direct mail, advertising and search) to get six to 10 impressions with each of these folks before they'll even take your call.

Managed security services and the SMB

I'm expecting a managed services model to become much more pervasive in the SMB market. Why? Because the customers just don't want to deal with it. They want the problem to go away. Not having a box or having a box that someone else is responsible for is very compelling to them.

Which managed services make the most sense right now? Your best bets are going to be antispam and firewall/VPN monitoring, with Web filtering starting to look pretty attractive as well. What you want is a service that can be implemented quickly and will provide a lot of operational leverage and great margins on an annuity-type of business.

Sales cycle is different

Finally, a positive in dealing with the SMB. Basically, small businesses want their systems or hardware to work, and they want you to make them work. Most SMB IT directors are not specialists, so they need a simple solution, and they are usually willing to pay you to install it and support it. Once customers decide they need something, there generally aren't groups of influences or extended testing periods. If they have the need and like you (or your rep), then they'll buy. But you need to have a more transactional order processing capability. The hope is that you'll be doing lots of transactions every day, which we know isn't the case in the enterprise market. So think about your end-of-quarter craziness, from an order processing and logistics perspective. That could be every day for you. Make sure you are ready.

Level of vendor tech support is different

That's right -- you won't get a lot of love from your manufacturers. They can't make a lot of money if they spend a ton of time on a $3000 deal. So they expect you to do that and make your margin. That means you are Level 1 and Level 2 on the support front. It's also debatable whether you'll get adequate Level 3 support from the vendor. Make sure you understand the products well enough to really support them. Ultimately the customer is counting on you to provide theservicesthat make the products work.

Sounds like a lot of fun, eh? Well, it can be, if you hit the market correctly with a model that you can support. Take antispam, for instance. When that market hit its exponential growth phase, lots of value-added resellers (VARs) were doing two or three deployments per day. Sure, the boxes didn't cost a lot, but doing a bunch of installs for $1,500 was a pretty good way to keep staffers utilized and revenue coming in.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at, read his blog at, or reach him via e-mail at [email protected]

Dig Deeper on MSP sales and marketing