Problem solve Get help with specific problems with your technologies, process and projects.

Loss leaders: Security products and services to get a foot in the door

Maintaining relationships with current customers and winning new business can be daunting challenges for security solution providers. Loss leaders serve as a way to get a foot in the door and can lead to more lucrative opportunities down the road, but only if the correct security products and services are offered.

Shop at any big box retailer and you see them everywhere: loss leaders. Many stores offer deep discounts on things like gigantic jars of pickles, combo packs of cat food and imported DVD players simply to get customers in the door and upsell them on more expensive goods.

For security solution providers, the concept is the same: Offer discounts on a few products or services that will sell quickly and drive additional sales. While common sense suggests selling products or services at a loss isn't good business sense, loss leaders can serve to either get more business from an existing client or help establish a new relationship. Savvy security solution providers can use the loss leader experience to nurture a relationship with the client and position the company for repeat business.

The key to success with a loss leader is to follow a proven formula: low price, rapid delivery, high value and top quality must be combined with a critical ingredient, placement. Let's review each below:


Loss leaders need to overcome impulse buy limitations. That is, what's being offered must be inexpensive and provide sufficient value such that the buyer feels comfortable making an impulse purchase.

Most organizations have a purchasing ceiling and management generally has great discretion for purchasing under that ceiling. For example, many public agencies allow department heads to purchase anything under $5,000 without obtaining competitive bids or conducting a formal procurement process. To put that example in context, some customers may not have the budget for a full-scale penetration test. However, some may have a discretionary limit of $3,000 for services. A basic security scan or focused test, priced just under $3,000, may be easy to justify, considering the low cost and high value. Each market and product is different, but most company executives consider $5,000 to be a good ceiling for any loss leader product or service.

Rapid delivery

Impulse purchases demand immediacy, and as such a loss leader must deliver rapid value to be considered a success. If the loss leader is a technology, such as a firewall, encryption or remote access product, it must be procured and implemented quickly. Long support or integration cycles will erode the feeling of value and make the customer feel cheated.

The same applies to consulting services. Select services where the work and deliverables can be concluded in less than 30 days. Strategic reviews, vulnerability scans and architecture analyses are ideal, provided the work can be completed quickly.

High value

A loss leader must feel like a bargain to be effective. An ideal loss leader helps solve a common problem or empowers people to accomplish goals. For example, a policy analysis of an existing firewall may show that the device can no longer handle the business' needs. IT staff could use a report from a third party to convince management that investment in a new firewall is warranted. Priced correctly, a firewall policy analysis service could sell quickly and give the IT team the justification needed to replace an old system. However, it's vital to not attach strings to the security product or service. Trapping a client into mandatory follow-up work or hidden expenses will erase whatever feeling of value there was and replace it with resentment.

Top quality

A loss leader must accentuate a VAR's good points to guarantee repeat business. This may be the only chance to impress the client. As such, it's a good idea to develop a loss leader implementation that leverages existing expertise. For example, VARs with experience in Active Directory security may consider using that expertise to offer an AD security assessment or similar service. Avoid loss leaders that require investment in new expertise; that increases the chance of failure and lost follow-up business.

More on maintaining and expanding security customer opportunities
How to help customers write effective security RFPs

How to recession-proof your security solution provider business

The key here is clarity. A loss leader should be tightly defined and provide a clear definition of success. The requirements, expectations, responsibilities and deliverables should all be documented, in detail, as part of a statement of work. If a loss leader engagement isn't handled properly, there will not be any repeat business, which undermines the entire point of offering the loss leader.

Before offering a loss leader to paying customers, VARs should engage existing customers for "beta testing." These opportunities can be used to iron out the bugs and optimize the product or service. This may require performing the first few engagements for free. It's also vital that "beta testers" agree to collaborate with VARs to improve the solution after testing.


Placement, perhaps the most important and delicate aspect of offering a loss leader, has two core parts: reconnaissance and ongoing engagement.

To get repeat business, VARs must determine what (if any) additional opportunities exist within the customer's company. The staff assigned to complete a loss leader project must discreetly and respectfully perform reconnaissance on the client. The ideal way to do this is to engage the clients in casual conversations about their environment and pain points. Many people will openly discuss what security aspect is giving them trouble during a casual, non-threatening conversation.

A single, well-placed question may provide a wealth of information. For example, a technical engineer is on-site and he notices staff struggling with VPN connectivity. A casual query could reveal that the customer is unhappy with their current firewall and seeking to replace it. With the right kind of follow-up, the engineer in collaboration with the account manager can pursue that lead.

This presents the second ingredient: ongoing engagement. Account managers must remain engaged with the client before, during and after the project. They need to carefully pursue leads while demonstrating sensitivity to the client's needs and expectations. With effective engagement, VARs can transform a loss leader into a long-term, lucrative relationship.


Loss leaders have some drawbacks. Managing customer cost expectations is important. After the loss leader product or service has been implemented or executed, a client may perceive the VAR as being a "low-cost" provider. Customers may then be unwilling to spend more on follow-up services. Marketing the loss leader as a "special" or "one-time opportunity" can help to combat this issue. The client needs to view this as a unique occasion with special pricing.

Reconnaissance and engagement are also tricky to get right. Overtly "spying" on a customer during a project could end a relationship permanently. Not every personality is well-suited to perform the delicate task of reconnaissance. When selecting the staff to complete a loss leader project, it's important to use experienced consultants who are not only competent, but also personable and tactful.


A loss leader can drive business for security solution providers if it is developed, delivered and sold properly. As access to accounts becomes more competitive, especially in a touch economy, VARs can use loss leaders to open the door and establish themselves as a go-to partner.

About the author
Andrew Plato, CISSP, CISM and QSA, is president and principal consultant at Anitian Enterprise Security. Andrew has over 15 years of experience in information systems, networking and computer security. Prior to running Anitian, he was a database developer and technical writer for Microsoft. In 1997, he helped start up Network ICE Corp., which marketed the first protocol analysis-based intrusion prevention system.

Dig Deeper on Running an MSP business

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.