Selling Internet security is quite different than selling any other type of IT-related solution. The very mention of the word “security” raises several antennas at every level in every organization. The only debatable thing is: How do we get to a secure posture that is rock solid?
Too many organizations see security as a function of compliance, rather than the other way around. As security professionals, we cringe at this approach and try to teach our clients that, although security will make them compliant, compliance may not make them secure. Unfortunately, in most small and medium-sized companies, compliance is the big driver, with security being a nice thing to have that results from the compliance efforts.
Network Box Security Response Center
The idea of selling managed Internet security services was considered almost obscene 10 years ago when we started our company. Internet security was seen as something too top-secret to be delegated to an outsider, and yet no one was doing physical security in-house. That issue had already been overcome for many years; if an organization needed physical security, it delegated the task to a specialized company. Just what was so different about Internet security escapes me, but somehow customers thought something was different.
Today, the idea of managed Internet security is widely accepted. Industry analysts now calculated the managed security market is already around $5 billion and are forecasting it will grow to $12 billion by 2013 – certainly something you would want a piece of. Therefore, it’s time to gear up and learn whom to talk to and how to approach the subject.
We find that the chances of succeeding are higher if you talk to C-level people and present the proposition purely as a business one, showing them that they can save a large amount of money while increasing their security posture. After all, security is not a piece of technology but an ongoing, 24/7/365 task. Hackers never sleep, so neither can your potential customer; therefore, security needs to be done by a team, because one person cannot keep up.
The choice, then, is whether to increase in-house security personnel or outsource the task. A small to medium-sized company can’t hire a team of security specialists; it’s too expensive, and the specialists would not stay long anyway because the career growth opportunities would be too limited, and the learning opportunities might be even smaller. To achieve real security, outsourcing is really the only option, and the choice now is what to outsource.
The proposition we make at Network Box USA is:
- Outsource to us the details of your security, the mundane issues of watching over the edge of your network, upgrading and updating your software and signatures, making the necessary configuration changes, and so forth.
- Outsource as a consulting engagement the policies and procedures that will improve your security posture, but don’t outsource your overall security.
- Keep in-house the risk assessment; risk belongs to the customer, and a customer employee should watch over it.
This type of approach shows the customer how, over time, a managed security service can provide real and strong security at a very affordable price – a fixed, no-surprises fee. CFOs love this story; there is nothing they like more than a low price that will not become a surprise at the end of the year. The total cost of ownership (TCO) is always a compelling argument for C-level decision makers. When calculating this, you need to be sure to encourage them to also consider the time and money spent when such tasks are managed in-house.
Taking into account only the cost of the hardware involved is not a good measure of the TCO. The hardware, of course, is an important factor, be it a unified threat management (UTM) appliance (we sell Network Box’s own UTM, which includes numerous applications – firewall, intrusion prevention and detection, virtual private network, content filtering, anti-virus, anti-spam, anti-phishing, and anti-spyware) or individual devices. Whatever your customers choose, the hardware needs to be managed, monitored, and updated.
All this costs money, but outsourcing will save the company most of that money. The reason is that the service provider can spread its own costs over a number of customers, whereas a dedicated IT employee will bear the entire cost on the internal budget. Also, an employee needs vacation time, personal time, holidays, and other time away from the job. When these tasks are outsourced, this issue disappears as well.
Finally, here are some tips relating to the all-important firewall. Do not talk about replacing the firewall with a managed solution to the person currently managing the firewall, unless he or she also has several other tasks and will be happy to relinquish that particular one. Otherwise, that employee will feel as though you’re trying to threaten his or her job and will start putting obstacles in your way. In addition, explain that changing firewall port configurations is NOT a strategic task in the realm of security. Risk assessment is strategic; overseeing the entire security posture is strategic; changing the firewall rules is definitely not.