Solution provider takeaway: Learn the benefits and disadvantages of operating a specialized security solution provider business versus a generalist one.
"To specialize or not to specialize? That is the question."
OK, maybe not quite William Shakespeare, but for anyone running a security reseller business, it's actually a critical question. Do you want to be a generalist who can solve any problem your customers potentially have? Or do you want to focus on a specific area and become known as an expert in that security specialization?
I bet you figure you can do it all -- have a balanced life, a house, 2.1 kids and a white picket fence and solve every security problem your customers have. Unfortunately, the real world doesn't work that way. Some customers want to be on the cutting edge, while others only want to look at a new technology when everyone else they know has bought in -- and there are many customers between those extremes.
Truth be told, you can sell pretty much anything to anyone at any stage of the technology adoption curve. But keeping them happy and providing enough value to sell the customer more stuff over time is a greater challenge. High-transactional, low-value firms do exist and, in some cases, can thrive. But it's hard because that's all about volume.
But we are getting ahead of ourselves. I believe the security specialization question is dependent on the maturity of the technology you sell. Are you focused on early markets or mature markets? Do you fancy yourself an expert or are you better suited to provide broader, more mature security solutions? The only wrong answer is to have a misguided perspective of your value. It doesn't matter what camp you're in, as long as the camp reflects your staffing plans, your sales structure and your manufacturer relationships.
There are pros and cons to both offering specialized security services and the generalist approach, but it usually comes down to margin, money and expertise.
- Margins on "expert" security services will always be higher because there isn't as much readily available talent. Supply and demand dictate that you can charge more and have less competition.
- Money can be roughly equivalent because emerging markets tend to focus on big-ticket, high-margin items. On the other hand, mature markets tend to be more widely deployed within an organization.
- Expertise is really where the rubber meets the road for this kind of decision. The security folks that specialize tend to have a higher-end type of staff, including sales and technical resources. They have to because they are dealing with early technologies, many of which are not ready for primetime usage. Sure, you rely on the manufacturer a bit, but ultimately, you have to be able to take down these deals yourself -- and that means high-end folks. VARs who do whatever their customers need them to do tend to be able to staff with lower-end personnel -- folks who are trying to get their sea legs in the security business or who like focusing on a bunch of different products at any given time.
Given how quickly the security business evolves, specialists need to constantly rejuvenate their practices, searching for the next new thing to stay ahead of the commodity curve. For instance, you easily could have specialized five years ago in intrusion prevention system (IPS) deployments and built a defendable niche. Nowadays, not so much. Almost any VAR doing any kind of security has a unified threat management (UTM) device they can bring into the account.
With those additional margins generated by focusing on value-priced, early market solutions, you also need to be tasking some of your personnel to learn new disciplines, like database security or virtualization. These are early markets and small opportunities right now, but over time they may emerge -- and you'll need to be ready.
Specializing in security can be agonizing as you try to figure out which new technology to bet on. You have to understand that more than a few will burn out, taking your people and resource investments with them. On the other hand, it's not like being the 40th guy in your zip code to offer antivirus (AV) renewals or a network firewall is an "easy" path either. Sorry -- there is no easy path in security.
Ultimately, the decision comes down to what kind of business you want to run. I know folks who have been successful using both kinds of models. The security specialists tend to have a higher opinion of themselves, but a lot of generalists think life is great as they climb into their Porsche and head out to the country club. Things like AV and UTM certainly can pay for a lot of greens fees and cocktails at the 19th hole.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Read his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.