Security is different from anything a channel partner could sell because it is critical to an organization’s survival, says Claudiu Popa, president of Informatica Corp. in Toronto.
“If they’re selling the wrong product and there’s a disconnect in the expectations, then they’ve affected the ability of that business to continue operating, which is different than selling shredders or garbage cans.”
Since security is essentially a business continuity tool, VARs need specialized training to pass on that knowledge to clients. Otherwise, they might end up pushing an unneeded product or give the mistaken impression that it’s easy to implement.
Or, they could apply it in the wrong way and actually jeopardize the privacy of their data.
First and foremost the channel has an educational responsibility, says Popa, and secondly a duty to meet those requirements once they identify them.
“There’s always going to be new security products out there,” he said. “It doesn’t mean that all of them need to be forced upon an unsuspecting client base.”
Security Resources Group in Regina, for example, helps clients assess their vulnerabilities and then shore up their physical infrastructure and company practices.
Whether it’s penetration testing or the architecture of a new system, compliance is a significant component, particularly for government and publicly traded organizations, says SRG vice-president Blair Ross.
Most of its clients are large enough to have their own IT department, but they’re still turning to the channel for security.
“In order to ensure [they] have the latest in security around information, they’re turning to outsourcing because we have the latest techniques and technologies,” he says. “That’s our business, that’s what we’re focused on.”
SRG is also inundated with requests to do ethical hacking, adds Ross, squirreling into an organization’s systems, and then recommending protection. A number of organizations do this every six months or annually, since security threats are changing so rapidly.
More clients are including application development in their security assessments, whereas over the past couple of years the focus has been on infrastructure.
“As organizations put new applications in, they want to talk about doing an assessment before it goes live,” says Brian Zerr, director of the company’s IT Security Division.
About 95 per cent of security solutions have to be customized to some extent, so SRG works with IBM and other vendor partners to come up with an enterprise-wide solution.
“Every customer I talk to likes having an enterprise view but they just buy the slices of what they need at that particular time, and their needs change depending on what’s going on,” he said.
But there will always be some areas where vendor offerings overlap with their channel partners, says Zerr, adding that it’s better to pick a few strategic vendor partners rather than have dozens of them.
A trend is emerging where channel partners are providing the full solution suite to customers, including hardware, software and deployment services, said Dave Martin, senior analyst of customer segments research with IDC Canada in Toronto.
But because security is such a vast, complex area, no single channel partner has all the answers.
This is leading to another trend, where VARs are partnering with other partners to fill in the gaps of their security expertise. Companies like IBM, Microsoft and SAP have portals where their channel partners can seek out other resellers.
Without that knowledge, a channel partner may not be competent in security. And if they’re not, said Martin, they’re really putting their customer relationship at risk.
If a channel partner is planning to promote, resell or somehow help their clients with security, then they better know what they’re talking about, said Popa, since it’s a lot more serious than selling office products.
“If you’re providing the wrong solution, the least of your problems is liability. Providing the wrong solution to a specific client, that kind of news travels and you lose your coveted position.”