Paradox: Security Is Profitable but Boring

By Lawrence Walsh  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Businesses continue to spend the most on commoditized perimeter security technologies even though emerging threats are keeping them awake at night. Solution providers should bring better risk management to their clients.

Here’s an interesting paradox: Solution providers say security systems are the most profitable products and services to sell but are among the least exciting technologies in the market today.

According to the Channel Insider 2008 Channel Outlook survey, 29 percent of all solution providers and 33 percent of fast-growth solution providers say security is the most profitable technology. When asked about exciting technologies, security ranked in the middle of the pack among total and fast-growth solution providers.

What makes these statistics even more interesting is what technical attributes solution providers look for in acquisition targets – security rates second on the list just behind application-development skills.

How can security technologies simultaneously rank among the most profitable and the most mundane? Security is supposed to be exciting; fighting the dark lords of the digital underground is the stuff of thriller movies and TV cop shows. The truth is security is actually pretty mundane, and businesses—and, by extension, their solution providers—are focusing on the mundane: perimeter security.

The "Security Perceptions vs. Reality" survey conducted by Baseline (another Ziff Davis Enterprise publication), businesses ranging from large enterprise to small organizations devote most of their current and future security investments in perimeter technologies. Topping the lists are firewalls, antivirus software, antispyware security, e-mail security and wireless security.

The good news is these technologies are working well for the threats and risks they counter. The survey found that businesses are suffering fewer and lower losses to perimeter-focused hacks and malware infections. More than half of the businesses participating in the survey say their losses to these common security threats last year were less than $25,000.

The problem is businesses’ security priorities are out of alignment with their threat perceptions. Only 24 percent of respondents are concerned about external network and data breaches. While one-third of businesses are kept awake at night by the threat of internal user privacy violations and theft mobile devices. One in five participants are worried by the threat of internal data theft and the theft or loss of portable media.

Businesses are buying emerging and advance security solutions, such as data loss prevention, automated encryption and network access control suites. But the adoption of technologies that actually address their most pressing security threats is happening at a much slower pace than conventional and commoditized technologies.

There are many explanations for this security paradox. Here’s a few to consider:

  • Conventional perimeter security technology is a necessity. There’s no getting around having to buy a firewall.
  • Perimeter security is well understood, therefore easier to justify in a corporate budget.
  • Perimeter security is doing the job it’s designed its designed to do and needs to be maintained.
  • License renewals and maintenance fees for perimeter security are soaking up dollars that could go to products that counter emerging risks.
  • Emerging and advanced security remains unproven, and businesses are waiting for them to mature.
  • Security, in general, is still being sold as products rather than integrated systems where the most dollars are going to the most recognizable and understood technologies.
  • There’s a fundamental absence of risk management and risk mitigation strategies.

Much of this spells a need for better risk management and risk mitigation strategies on both the client and solution provider side of the security equation. Solution providers should take a harder look at their clients’ operations and risk exposures, and apply the most appropriate mix of security technologies that address the aggregated risk.

There is no denying the need for firewalls, but they’re not a blanket answer for all threats and risks. And not every business needs data loss prevention solutions. But only through proper risk management strategies will solution providers determine their clients’ true security needs. By addressing specific security concerns, solution providers deliver more value to their clients and build even stronger binds as their trusted advisor and partner to their customers.

So before you sell yet another firewall, take a second look at your customers’ operations and risk exposure. You may find more opportunity beyond that easy sale.

Lawrence M. Walsh is the vice president and group publisher of Channel Insider. You can reach him at lawrence.walsh@ziffdavisenterprise.com.


Lawrence Walsh Lawrence Walsh is editor of Baseline magazine, overseeing print and online editorial content and the strategic direction of the publication. He is also a regular columnist for Ziff Davis Enterprise's Channel Insider. Mr. Walsh is well versed in IT technology and issues, and he is an expert in IT security technologies and policies, managed services, business intelligence software and IT reseller channels. An award-winning journalist, Mr. Walsh has served as editor of CMP Technology's VARBusiness and GovernmentVAR magazines, and TechTarget's Information Security magazine. He has written hundreds of articles, analyses and commentaries on the development of reseller businesses, the IT marketplace and managed services, as well as information security policy, strategy and technology. Prior to his magazine career, Mr. Walsh was a newspaper editor and reporter, having held editorial positions at the Boston Globe, MetroWest Daily News, Brockton Enterprise and Community Newspaper Company.

Submit a Comment

Loading Comments...