Selling security solutions is a complex mix of education, the right incentives and convincing the customer.
Complicating matters is the rapidly expanding complexity of security solutions and the ways in which our multiplying personal device count interact for better or worse. But there’s still considerable demand for security products and services. How can the channel take advantage? Jeremy Matthews, country manager, Panda South Africa agrees that security can be seen as ethereal. “Often it’s being purchased by the wrong people,” he says. “The business people have to sign the cheques for something that isn’t tangible to them. Buying an ERP system is tangible. Buying endpoint security? not so much.”
Julie Ferreira, senior account executive, RSA, notes that the purchase is all too often an afterthought anyway. “Security is generally only bought when something goes wrong. It’s not a proactive buy.”
Andrew Potgieter, security solutions director, Westcon Southern Africa, says that the consumers of security products are very diverse and driven by convenience. “The consumer of security could be anyone: an individual, a small business, an enterprise or a government. We all do the same thing though. We want convenience and we want it faster and we don’t take cognisance of what we’re doing but rather just buy the device. We’re not supposed to have the knowledge about the security portfolio that’s required about that.”
That means the burden of educating the market about security implications falls on resellers. That’s not easy notes John Mcloughlin, MD of J2 Software. “One of the most difficult things about selling security to clients is convincing them that it’s more than anti-virus. Education is one of the most difficult things. A CEO or a CIO may understand but if the rest of the executives say to themselves that they haven’t suffered a breach yet, then why would they need to spend the extra money?”
Gavin Ramsay, IS channel manager at Attix5 says education is vital. “We need to determine what channel we’re selling to – some are services and some are equipment – and they’re a completely different sell. Education is important on multiple levels: we need to educate the channel on the products and they need to educate the customers on why they need to purchase it – and those partners need to understand the product.”
And the process. Fred Mitchell, security software division manager at DCC says there is no silver bullet. “There is no one product to buy that will offer a complete solution to the end user. If there’s a solution or a roadmap then the client will understand that they’re going to purchase something now and then in six months’ time, they will need to purchase something else.”
Van der Walt says specification testing and looking to the business’s needs first are what works. “Mustek has now decided to deal directly with the client in the physical security market doing green field solutions that are solution-specific not product-specific. That is where you can address the immediate needs. We sell a huge variety of products but we look at what the clients’ needs are. We’ve got our own testing facility and we’ve done specification tests where we take units out of a box with the exact same specification. We start running tests and they fail one after the other. So the end user or the engineer doing the work based on a product’s specification will purchase a product and have it fail dismally. And the end result is that the CTO or the CEO asks why they’ve spent millions and the system doesn’t perform.”
Westcon’s Potgieter agrees. “The way to sell properly is to ask customers what they’re trying to fix or what problem they’re trying to solve. But if you can go to a business with a real problem-solver that makes it compliant or reduces risk or fixes a real business need, then that’s how you avoid the grudge feeling in a transaction.”
Michael Horn, business unit manager: security at CA Southern Africa, has an example: self-service password resets. “You can calculate the cost of a user phoning the helpdesk and requesting a new password in terms of lost productivity. Self-service for that gives you an immediate ROI.”
Changing the mindset
But changing the mind of the channel is easier said than done notes DCC’s Mitchell. “I personally know how difficult it is to get resellers to change how they view and sell security. I sat down one day with someone and said I need to talk to him about a particular vendor. He said that it makes up only five percent of his business so I would only have 15 minutes to train his staff. Unless it’s Microsoft which is a massive part of their business, their attitude is to correlate their time with the revenue that I give them. It’s rare to find someone who will see the potential and make room.”
Attix5’s Ramsay notes the difficult task of incentivising resellers in certain markets. “We need to consider how to incentivise the sales force. In our particular channel we resell through internet service providers. They have 90 products that they need to sell. My product is a tiny but very complex one and we have to have these kinds of discussions. The sales guy on the street has a massive revenue target and our product is a drop in the ocean. So it’s about getting clever and getting guys to push your product and learn about it as well.”
And sales don’t happen overnight points out RSA’s Ferreira. “Security is a six to eighteen month sell. You’re convincing a channel partner to invest in this cycle and he’s got those targets he needs to make. It’s hard to convince him to stay with you when he can get his targets faster somewhere else.”
Potgieter says it’s about the sales cycle but also the lack of skills. “I work across a broad range of vendors and sales cycles are increasing. On the enterprise it’s six to eighteen months. In the SMB market for endpoint security, the sales are a bit faster – three to six months – although sometimes shorter. But there’s something else: if you look at our channel partners, you can count the effective ones on ten sets of hands. And there’s a skillset problem. I train someone today, you poach them tomorrow and they move around the industry.”
Two trends are looming over security sales in the channel: the rise of managed services and legislation. Paul Williams, major accounts manager, Fortinet, says managed services is where security is going for the channel. “Ten years ago it was firewalling, today it’s far more complex. Companies need to protect their web applications, their endpoints, their firewalls and the servers behind those firewalls. This is why the service providers pride themselves on doing this business: they have the skills and the experience and the bandwidth.”
On the legislation side, things are perhaps not quite as clear. “We always hope new legislation is the golden axe that breaks open new opportunity,” says Westcon’s Potgieter. “The concern is: how do you drive and manage compliance within a governmental structure that can’t enforce other policies?”
Ferreira sees a bright future for her product suite in regulation-sensitive markets. “We see a massive opportunity for governance, risk and compliance solutions, especially in the banks. They will be the guys that will get the big fines if anything happens.”
But the customer base has heard this drumbeat before. “They’re tired of hearing about it,” says McLoughlin. “I remember personally selling on fear of PoPI before the World Cup in 2010 – because it definitely had to be in before the World Cup! But even so, no-one wants to be the first one pulled up in front of the Regulator.”
It’s the grudge transaction that won’t go away.
Pull quote 1:
“One of the most difficult things about selling security to clients is convincing them that it’s more than antivirus.” John McLoughlin, J2 Software.
Pull quote 2:
“If you can go to a business with a real problem-solver that makes it compliant or reduces risk or fixes a real business need, then that’s how you avoid the grudge feeling in a transaction.” Andrew Potgieter, Westcon Southern Africa.