Back when I was on the manufacturer side, my buddies and I thought how green the grass is for VARs. You get to profit and benefit from any hot security market, while the vendors have to actually push the rock up the mountain and build the market. Oh, the humanity!
If it were only that easy, right? On the positive side, security VARs do get to pick and choose which markets to focus on. But all that glitters is not gold and "white hot" security markets like network access control (NAC) and data leak prevention (DLP) bring as many difficulties as they do benefits. You know the kind of markets I'm talking about – the press is all over them, new vendors are coming out of the woodwork with better, bigger, faster products, and the quantitative analysts project a billion percent growth over the next three years.
When the hype cycle gets this crazy, part of me wants to go sit in on an island until the dust settles. But that's not the best course of action if you're a VAR. Let's take a look at the pros and cons of white hot security markets and how you can minimize your risk while navigating them.
Since I'm trying very hard to be an optimistic type, let's first look at the benefits of playing in a hype-ridden market. It's true that there's a lot of good news relative to not having to evangelize a technology to your customers. They are likely already talking about it. In most cases, they'll ask you for your opinion about the new products.
These customers are also usually willing to kick the tires a lot more readily. A new NAC box that promises to do everything for everyone? Sure, bring it on by. Try that with a less exciting product like biometrics (with a suspect value proposition) or the new antivirus (a commodity). Right, you thought salmon swimming upstream had it tough. So, given the difficulties in getting any attention from customers nowadays, this isn't a bad thing.
Additionally, early markets drive a lot of service opportunities. It's mature enough to be beyond the really early adopters, but not to have the deployment model totally worked out. This creates significant revenue opportunities for VARs.
Given my cynical nature, it's usually a lot easier for me to point out why even a very hot security market can be challenging to navigate. The first and most significant issue is that of confusion. In a fast moving, faster growing market, everyone wants a piece. So one day you have one or two vendors doing the yeoman's work of building the market. The next day you have 15 vendors telling exactly the same story and confusing customers.
Next, the competition of having an early market being picked over by 15 vendors is brutal. All the vendors sound the same and perceived differentiation disappears overnight. Let's jump into the time machine and remember the antispam market. It seems like over night 40 vendors appeared spouting the same cocktail of detection techniques and bigger, faster boxes. VARs ended up having to spend a lot of time tracking the market just to stay on top of the disinformation being spread by less-than-savory manufacturers. I've been there. It's no fun.
Don't forget that what giveth can also taketh away. Since the products are not mature enough to work well, there are service opportunities. But this also makes evaluations and bake-offs very problematic. In fast moving markets, most customers want to do a bake-off, and the ones trained well in the art of buying security products don't like to pay for evals. That's as fun as a root canal.
So what do you do? Do you just wait for the market to mature and become less complicated? You can, but you may miss out on the high-margin product and service opportunities that are characteristic of early markets. So this isn't really an option, given your role as a trusted advisor to the customers.
That being said, it makes more sense to tread slowly. That means you pick one manufacturer initially and get smart on their technology. It won't be clear whether the vendor you choose will make it or whether the market will even happen. This forces you to make strategic bets all over the place. But it's better to pick one vendor and roll the dice, than pick them all and burn up a lot of time in a market that doesn't happen (PKI anyone?).
Once the market matures a bit and market leaders emerge, then you can expand your line card. Much of your market knowledge will be directly applicable to the other vendors. But to bet too early on a specific market is asking for trouble.
Given that there will be multiple manufacturers to choose from, how do you pick the good ones from the bad ones? That takes a bit of good, old-fashioned research. You probably know the early sales staff of at least some of the vendors because you've been to the dance before and the same folks keep showing up with new business cards. So that's a start.
Look for other signs of early momentum. Make sure the management team has done it before -- especially with the channel. Other favorable signs are the backing of top-tier VCs and a decent amount of marketing activity. But it's a balance. It's bad if they spend so much on marketing they fly into the mountain. But it's also bad if they don't spend anything and expect you to build the market for them.
And yes, over time there will be consolidation and at least some of the partners on your line card will have new business cards and pockets overflowing with acquisition money. Make them buy dinner. The good news is dealing with consolidation is a known process.
Running the risk that I'll sound like a broken record, the last bit of advice I'll give is to ALWAYS stay focused on the customer. Even if it's a hot market, if it's not going to add value to the customer – wait it out. Even if you have a bunch of vendors chasing you to talk about their fancy new widget, it's not worth alienating long-standing customers to move a few boxes – even if you could.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.