Five things every security service provider should know

CompTIA recently released a new study examining the changing nature of cybersecurity offerings from service providers. Security in the IT Channel surveyed 400 IT channel executives on how they’re delivering security services to their customers. From user education to branding, the report identifies several opportunities for channel partners to best leverage the latest technology and best practices in order to get a piece of this explosive market.

The VAR Guy sat down with the study’s author, CompTIA senior director of technology analysis Seth Robinson, to hear what he thinks are the biggest takeaways of the new study. The overall message is that security products alone are no longer enough. A modern approach to security requires a broad mix of tools combined with new processes to be effective.

Read on for five lessons security providers should learn from this report.

1. More than words

Small businesses have been paying lip service to security for a number of years, but over the last 12 to 18 months, Robinson says he’s seen signs that companies are actually beginning to take action on the security front. That’s playing out in the channel in an increased number of firms that are specializing in security, both in the form of general MSPs that are making it more of a focus and in firms that are developing a specialty and becoming managed security service providers.

“The number of [survey] responses we got and the speed that we were able to get them signals there are more firms out there starting to focus on security in one way or another. The channel is responding to this increased level of action around security.”

2. Time to get schooled

These days, security is just as much about user behavior as it is about any technological offering, but offering end user education will take real effort from many product-centric channel partners. Robinson suggests beginning with metrics. Security providers should be able to measure a customer’s baseline of security literacy both before and after training in order to prove efficacy.

The training itself could take multiple different formats depending on the business model and personality of the client. “When we ask about security format, what we typically see is companies doing onboarding training,” says Robinson. “And then they never talk about it again.” Look for other opportunities for security education you can weave in throughout the year instead of just checking the box on an annual basis. Consider using methods such as active audits or penetration testing that highlight where there’s a weakness, then provide focused education that targets that vulnerability. A few months later, repeat the process and try to measure improvement.

3. It’s a whole new data ballgame.

The traditional view of data security has been that business owners decide what information is most important, and then service providers secure it locally. “The reality today is that almost all forms of data are quite important,” says Robinson. “Because of cloud and mobile, it can’t just be kept in a single secure location.” Channel partners have an opportunity to educate their customers about more advanced options.

“Clients are primarily thinking of firewall and antivirus as the primary pieces of their security defense. That’s why channel firms are primarily providing those things,” says Robinson. Overall, 38 percent of the companies surveyed say that firewalls are their biggest seller, while 20 percent of firms place antivirus at the top of their best-seller list. By comparison, only 9 percent of companies report that security information and event management solutions are their biggest revenue producer.

At some point, there needs to be a discussion about what modern security looks like, what works best for the client and what they’d be willing to invest in.

4. It isn’t a scare tactic if it’s fact.

When it comes to the “security talk,” Robinson says about half the time it’s the client who wants to level set, and half the time it’s the channel partner. There’s a growing aversion in the channel to using scare tactics as selling points (and that’s a good thing). But it seems partners shy away from showing their customers the hard numbers when it comes to security, and that isn’t good for anyone involved.

“One of the things that channel firms use the least in that conversation,” he says, “is the cost of breaches.” Business owners need to know the potential financial impact of a cyberattack. It isn’t a scare tactic. It’s a real number that can be extremely detrimental to an SMB. “It’s at least worthwhile to know what those costs are.” Robinson advises partners to show their customers the numbers related to a breach, and then ask them if their level of investment is on par with that potential risk. The bottom line is that security is becoming more about mitigating risk than eliminating it completely. It’s worthwhile to factor in these cost discussions.

5. Stand by your brand

As channel companies try to figure out what their security pitch and their product portfolios look like, there’s a tendency to fall back on the vendors’ brands. “Only 11 percent of the firms in our study around security said they primarily rely on their own services, their own brand versus the vendor reputation and brand,” says Robinson. Elsewhere in the channel, service providers are making great strides in marketing themselves as a brand—and seeing increased sales as a result. In this area, security providers are lagging behind.

There’s a big opportunity for channel firms looking to build a security practice to elevate their offering beyond just the vendor products. Service providers should consider the value they bring in terms of expert consultation and ongoing management, and wrap it all in their own brand.