A long time ago, on a career path far far away, I was responsible for the delivery of security consulting services across the EMEA and APAC regions. Even as someone fairly new to a Director level role it was clear that any company not selling cybersecurity through as many external channels as possible would be hard pressed to cover enough ground to achieve significant success.
It was also clear to me that it was the cybersecurity resellers (VARs and the like) who were best placed to cover more ground than any internal team could possible hope to match. Plus, most of the bigger VARs already had potential pipelines hundreds strong because EVERY organisation who has bought security relevant equipment is a target for security relevant consulting. They may not know it or even want it, but they will at least understand why they were approached.
The only problem was that not one VAR gave a damn, and the main reasons were two-fold;
- Consulting cannot be commoditised – VARs are generally ‘box shifters’, they sell a piece of equipment at a profit and move on. Selling consulting of any sort is a significant learning curve, an investment of effort no VAR was prepared to make; and
- Not enough margin – VARs are used to significant margins on hardware, there’s not much wiggle-room in the world of consulting. Especially in the hugely price-compressed world of QSAs/PCI for example.
Both of these are fair points, and there are challenges that I have not mentioned. There are also undoubtedly others of which I am not even aware, but I still think VARs have missed an enormous opportunity. Assuming of course they actually have their client’s best interests at heart.
When a security consultant performs a gap analysis they will cover almost every aspect of a cybersecurity program, including the security controls in place. From network devices and servers, to more ethereal products like data loss prevention (DLP) and web application firewalls (WAF), to software like anti-virus, file integrity monitoring (FIM) and encryption. All controls are examined in turn, gaps documented, and an acceptable remediation plan agreed with the client.
What you now have is a laundry list of EVERYTHING the customer needs to properly manage their security program. There is no way a VAR would ever have been able to cross-sell / up-sell to that extent. Even salespeople working at security consulting companies rarely have this kind of insight! A good consultant can expose opportunity like no VAR in the history of VARing.
No, I am not suggesting that VARs hire security consultants to help sell technology the client doesn’t need, and in fact, there are times when a consultant will prevent a client from buying technology for which the client simply has no use or cannot possibly manage. What I am saying is that most organisations want to buy from a trusted vendor, but rarely know the right questions to ask. Too often the end up with what they asked for, not what they needed. VARs will not know the difference, a consultant will.
The fact remains that all organisations who don’t have in-house expertise need help at some stage; A network administrator can install and manage a firewall, but it takes a security expert to optimise the architecture based on the business processes. A SIEM administrator can import logs and generate alerts, but it take a security expert to optimise the output to incident response. And so on.
It’s the VARs who help their clients manage not only their technology needs, but their business needs who will truly make a difference. And a lot more money.
[If you liked this article, please share! Want more like it, subscribe!]