How Optiv Evolved from a VAR to a Different Kind of Partner
Times, they are a-changin’. The traditional value-added reseller (VAR) isn’t just trying to grapple with the move to recurring managed services anymore. Now their competition is getting more sophisticated: developing vertical specializations, building managed security services practices and learning how to sell on value rather than price. It’s enough to make a VAR throw its hands up and decide it just can’t be done. If you’re one of these skeptics who needs some proof, cast your eyes to Optiv.
Peter Evans, chief marketing officer at Optiv, is a self-professed telco guy whom mutual friends pulled into a cybersecurity venture. After stints at a couple of security firms and consulting with venture capitalists, Evans left the industry for six or seven years. When he came back, he expected a learning curve, but learned the more things change, the more they stay the same.
“The only thing that really changed was that you could add a zero on the end of every single number,” said Evans. “The number of vendors, the number of hacks and attacks, the number of breaches, the number of losses, the number of security tools the average company had in their environment — it just seemed like everything had grown by an order of magnitude.”
Evans estimates there are 3,000 security firms in the market. With all of those choices, how is a chief security officer (CSO) or chief information officer (CIO) supposed to keep track? One CSO at a large chemical company told him the business had 17 security tools on every single endpoint. The CSO had no idea how they got there, who bought them, who was configuring them or who was managing them.
Clearly, there was a gap in the managed security services market, and Optiv, which had reached a level of success not often seen by VARs, saw an opportunity to pivot and focus its effort on cybersecurity services.
Pivoting Pain Points
Optiv knew where it wanted to go: to build relationships that let it focus on business outcomes rather than strict IT solutions. It wanted its clients to look at their business models first and then continually work backward to define what they needed from a security program, security tools and, finally, best practices and processes.
“Let’s just stop, pause, take a deep breath and relax. Let’s take inventory of everything you’re doing and find the right security that makes sense for you, not what some compliance mandate tells you, or what your neighbor is doing, or what somebody else is doing,” said Evans.
The company thought the world needed a systems integrator to help clients make heads and tails of all the cybersecurity complexity. That was where it thought its sweet spot was. But it would require Optiv to build out a lot of muscle it had never had before.
In Evans’ world of marketing, a brand-building effort commenced. To fully become the new Optiv, security systems integrator, the company had to look a little more like a typical big consultant, software company or service company. That meant building out certain new initiatives like demand generation and portfolio management.
Sales, too, had to switch gears. The sales team had to learn how to have a business-outcomes conversation. It needed to go “higher and wider” into the customer’s organization and provide more programmatic things like account planning and pipeline development. Today, there’s a new layer of discipline on top of Optiv’s existing relationships that’s driven by services, but convincing internal teams and partners alike that it was the right course of action wasn’t always easy.
“That takes a little time; that takes a little cultural transformation [internally], as well as for the partners,” he explains. “Many of them weren’t comfortable with us saying we’re going to have a conversation with the customer about digital transformation, or about cloud, or about identity as the next kind of perimeter.”
One part of Optiv’s strategy that helped to ease that cultural shift for these resale-focused customers and sales teams was its decision not to move away from its existing VAR business, but simply build out a complementary managed services offering. Today, the resale revenue stream is healthy and growing, and Evans says Optiv has plans to accelerate it through the pivot. It’s spent a great deal of time and resources on developing strong, local relationships, and it had no intention of changing the core makeup of those relationships.
“Our local sales teams or account focus sales teams know exactly who they should be working with in a major metropolitan area or on a specific account, but Optiv then has the resources of the entire company.” says Scott Whitehouse, Vice President of Channels and Alliances at privileged account security provider Cyberark. “They’ve moved into managed services…but they haven’t lost the relationship with customers in regions.”
No-Go for IPO
In 2016, Optiv announced its decision to go public by filing with the FCC. Within a matter of days, it withdrew the filing when it accepted a buyout by investment firm KKR. Evans says it speaks to the incredible complexity in the cybersecurity market and private equity’s desire to help the market sort itself out.
“The more we started talking with KKR, the more we liked where they wanted to go and their vision of what the industry could be … in three to four years,” explains Evans. “The more we thought about it, we thought we could solve the industry problems faster, grow a lot more quickly with a partnership with KKR.”
Going through with the IPO would have given the service provider the cash it needed to execute on its strategy, but also would have subjected it to the scrutiny that comes with being publicly traded. With the KKR acquisition, Optiv got not only the cash, but also the ability to stay agile and not beholden to shareholders. This combined with the management team KKR brought on board and the breadth and depth of their network meant the deal brought a lot of value to Optiv and enabled growth initiatives like Optiv’s expansion into international markets, places it couldn’t have gone as quickly had it not had the backing of KKR.
Like many growing companies in the channel, both on the partner and vendor side of the equation, Optiv embarked on an acquisition strategy to speed its entry into new markets and expand its solution stack, both organically and inorganically. Its acquisition of Conexys in 2016, for example, gave it immediate access to the Canadian government, which subsequently had a positive spillover effect that allowed it to expand in the federal government vertical in the States. When it bought Decision Labs in 2017, it gained tools for payment security, vulnerability management and identity access, as well as IP and talent to deepen its portfolio.
“Simple example: We announced a product called Secure Data at the RSA show this year,” says Evans. “This is our bringing in the IP that we’ve acquired with Decision Labs and marrying that together with all our existing value that’s delivered from some of the SIEM vendors, the Splunks and LogRhythms and others around the world.”
CyberArk, which focuses on privileged access security, worked with Accuvant and Fishnet before they merged to become what today is Optiv. Whitehouse says the solution provider has seen much of the same struggle that Optiv has in terms of making customers aware of their risks, but that working hand-in-hand with Optiv has allowed it to be successful as the market grows.
In other words, the acquisition strategy helps Optiv stitch together that coveted end-to-end solution set for its regional customers, a growing demand from one particular market that everyone in the channel is hoping to grab its share of.
The Race for SMB Market Share
Twenty years ago, Evans was fielding sales objections to advance cybersecurity solutions from SMB customers that didn’t think they needed to operate over the internet. The conversations he’s having today mirror those of 20 years ago as SMBs protest that bad actors won’t bother with attacking a smaller organization.
“I worked with was this company that did wireless LAN security, and I remember sitting with the CIO of their very large bank. He said, ‘That’s OK, we don’t need wireless security. We have a ‘no wireless’ policy in the building.’”
One can picture Evans sitting in his office recalling that conversation and shaking his head.
“We showed them that every single … photo-copy machine he had, all the cellphones of the employees, were all beaconing out wirelessly.”
These customers are lost in the complexity of the cybersecurity landscape. That’s the gap Optiv wanted to fill, and where it’s found its niche.
Partners today often struggle with competing against the “emerging channel” — these niche MSPs, line-of-business service providers, digital agencies and MSSPs. Optiv’s evolution proves it’s possible to evolve from a traditional resale model to become something different, a hybrid VAR/MSP/systems integrator that has built a new kind of channel partner, one that’s eschewed entrenched labels to build a new kind of partner company in direct response to market demand.
“I’m a big believer that if you listen to the market, the market will tell you exactly what they want, and what they need, and how they need it,” says Evans. “You just have to listen really, really closely.”