Grudge into gold

John Mc Loughlin, J2 Software | photography by Karolina Komendera

Selling security solutions is a complex mix of education, the right incentives and convincing the customer.


Fred Mitchell, DCC Fred Mitchell, DCC
Despite accounting for such a significant segment of the IT products and services market, security is still seen as something ethereal and somewhat akin to insurance: a grudge product that you buy ‘just in case.’

Complicating matters is the rapidly expanding complexity of security solutions and the ways in which our multiplying personal device count interact for better or worse. But there’s still considerable demand for security products and services. How can the channel take advantage? Jeremy Matthews, country manager, Panda South Africa agrees that security can be seen as ethereal. “Often it’s being purchased by the wrong people,” he says. “The business people have to sign the cheques for something that isn’t tangible to them. Buying an ERP system is tangible. Buying endpoint security? not so much.”

Julie Ferreira, senior account executive, RSA, notes that the purchase is all too often an afterthought anyway. “Security is generally only bought when something goes wrong. It’s not a proactive buy.”

Andrew Potgieter, security solutions director, Westcon Southern Africa, says that the consumers of security products are very diverse and driven by convenience. “The consumer of security could be anyone: an individual, a small business, an enterprise or a government. We all do the same thing though. We want convenience and we want it faster and we don’t take cognisance of what we’re doing but rather just buy the device. We’re not supposed to have the knowledge about the security portfolio that’s required about that.”

Michael Horn, CA Southern Africa Michael Horn, CA Southern Africa

That means the burden of educating the market about security implications falls on resellers. That’s not easy notes John Mcloughlin, MD of J2 Software. “One of the most difficult things about selling security to clients is convincing them that it’s more than anti-virus. Education is one of the most difficult things. A CEO or a CIO may understand but if the rest of the executives say to themselves that they haven’t suffered a breach yet, then why would they need to spend the extra money?”

Gavin Ramsay, IS channel manager at Attix5 says education is vital. “We need to determine what channel we’re selling to – some are services and some are equipment – and they’re a completely different sell. Education is important on multiple levels: we need to educate the channel on the products and they need to educate the customers on why they need to purchase it – and those partners need to understand the product.”

And the process. Fred Mitchell, security software division manager at DCC says there is no silver bullet. “There is no one product to buy that will offer a complete solution to the end user. If there’s a solution or a roadmap then the client will understand that they’re going to purchase something now and then in six months’ time, they will need to purchase something else.”

Jeremy Matthews, Panda South Africa Jeremy Matthews, Panda South Africa
Peet van der Walt, programme manager, Mustek Security Technologies, has also struggled with basic education of his channel. “We sit with the exact same issue with regards to resellers who advertise your product. They don’t know the first thing about it, they don’t know what the physical features and benefits are, and they don’t communicate them to the end user.”

Van der Walt says specification testing and looking to the business’s needs first are what works. “Mustek has now decided to deal directly with the client in the physical security market doing green field solutions that are solution-specific not product-specific. That is where you can address the immediate needs. We sell a huge variety of products but we look at what the clients’ needs are. We’ve got our own testing facility and we’ve done specification tests where we take units out of a box with the exact same specification. We start running tests and they fail one after the other. So the end user or the engineer doing the work based on a product’s specification will purchase a product and have it fail dismally. And the end result is that the CTO or the CEO asks why they’ve spent millions and the system doesn’t perform.”

Westcon’s Potgieter agrees. “The way to sell properly is to ask customers what they’re trying to fix or what problem they’re trying to solve. But if you can go to a business with a real problem-solver that makes it compliant or reduces risk or fixes a real business need, then that’s how you avoid the grudge feeling in a transaction.”

Peet van der Walt , Mustek Peet van der Walt , Mustek

Michael Horn, business unit manager: security at CA Southern Africa, has an example: self-service password resets. “You can calculate the cost of a user phoning the helpdesk and requesting a new password in terms of lost productivity. Self-service for that gives you an immediate ROI.”

Changing the mindset

But changing the mind of the channel is easier said than done notes DCC’s Mitchell. “I personally know how difficult it is to get resellers to change how they view and sell security. I sat down one day with someone and said I need to talk to him about a particular vendor. He said that it makes up only five percent of his business so I would only have 15 minutes to train his staff. Unless it’s Microsoft which is a massive part of their business, their attitude is to correlate their time with the revenue that I give them. It’s rare to find someone who will see the potential and make room.”

Andrew Potgieter, Westcon Andrew Potgieter, Westcon
J2’s McLoughlin says the demand should be driven from the customer side. “No matter what tool you’re in charge of, whether it’s insider-focused or external or something else, the onus should be on us to make the resellers change by driving the demand from the end-user side. You don’t necessarily need to engage but you can drive demand with education, forums and events. Driving that demand is the only way to get their clients to ask them for those products. And if they don’t do it, another reseller will take that business from them. Loyalty is not as tight as it was previously. If something’s not being done correctly, then customers will get it somewhere else. Certain industries are more commoditised than others, but there’s still room for competition.”

Attix5’s Ramsay notes the difficult task of incentivising resellers in certain markets. “We need to consider how to incentivise the sales force. In our particular channel we resell through internet service providers. They have 90 products that they need to sell. My product is a tiny but very complex one and we have to have these kinds of discussions. The sales guy on the street has a massive revenue target and our product is a drop in the ocean. So it’s about getting clever and getting guys to push your product and learn about it as well.”

Paul Williams, Fortinet Paul Williams, Fortinet

And sales don’t happen overnight points out RSA’s Ferreira. “Security is a six to eighteen month sell. You’re convincing a channel partner to invest in this cycle and he’s got those targets he needs to make. It’s hard to convince him to stay with you when he can get his targets faster somewhere else.”

Potgieter says it’s about the sales cycle but also the lack of skills. “I work across a broad range of vendors and sales cycles are increasing. On the enterprise it’s six to eighteen months. In the SMB market for endpoint security, the sales are a bit faster – three to six months – although sometimes shorter. But there’s something else: if you look at our channel partners, you can count the effective ones on ten sets of hands. And there’s a skillset problem. I train someone today, you poach them tomorrow and they move around the industry.”

Julie Ferreira, RSA Julie Ferreira, RSA
The future

Two trends are looming over security sales in the channel: the rise of managed services and legislation. Paul Williams, major accounts manager, Fortinet, says managed services is where security is going for the channel. “Ten years ago it was firewalling, today it’s far more complex. Companies need to protect their web applications, their endpoints, their firewalls and the servers behind those firewalls. This is why the service providers pride themselves on doing this business: they have the skills and the experience and the bandwidth.”

On the legislation side, things are perhaps not quite as clear. “We always hope new legislation is the golden axe that breaks open new opportunity,” says Westcon’s Potgieter. “The concern is: how do you drive and manage compliance within a governmental structure that can’t enforce other policies?”

Ferreira sees a bright future for her product suite in regulation-sensitive markets. “We see a massive opportunity for governance, risk and compliance solutions, especially in the banks. They will be the guys that will get the big fines if anything happens.”

Gavin Ramsay, Attix5 Gavin Ramsay, Attix5

But the customer base has heard this drumbeat before. “They’re tired of hearing about it,” says McLoughlin. “I remember personally selling on fear of PoPI before the World Cup in 2010 – because it definitely had to be in before the World Cup! But even so, no-one wants to be the first one pulled up in front of the Regulator.”

It’s the grudge transaction that won’t go away.

Pull quote 1:

“One of the most difficult things about selling security to clients is convincing them that it’s more than antivirus.” John McLoughlin, J2 Software.

Pull quote 2:

“If you can go to a business with a real problem-solver that makes it compliant or reduces risk or fixes a real business need, then that’s how you avoid the grudge feeling in a transaction.” Andrew Potgieter, Westcon Southern Africa.


sponsored by
sponsored by