How Financially Secure Is Your Security Vendor?

RSA earlier this week revamped its SecureWorld channel program, which now boasts new tiers for its broader product line, performance-based rebates, special rewards for incremental sales and, as proof of stability, the deep pockets of its parent, EMC.

“A lot of niche players are going to flights of safety,” says Bill Taylor, senior director of global channels and alliances. “You have to ask how secure your security vendor is. If [it’s] not so [secure], why not go with the market leader?”

Security remains one of the bright spots in the technology industry, as end users continue to seek products and services to guard their IT infrastructures and digital assets. In the wake of layoffs and the rising threat of information thefts and leaks, businesses from large enterprises to small shops are investing in data loss prevention, risk management and network-based policy enforcement.

While many leading security vendors such as RSA, Symantec, McAfee and Cisco Systems offer these emerging threat prevention solutions, they’re also fertile ground for startups and smaller, innovative security companies, such as Purewire or Palo Alto Networks. Given the instability of the economy, the longer sales cycles and the risk-adverse venture capital community, capitalization and financial viability may become more important considerations than technology when solution providers and end users are making their security choices.

“We’re betting on that,” Taylor says. “It’s good to be the big, strong guys with money in the bank and the deep pockets of our parent company. There are guys who are struggling and they have no money. The decisions [solution providers] make now affects what happens and they’ll have a flight to safety.”

Financial viability of startup security vendors was a common theme during the last recession (2001-2002), as larger, more established security vendors would often tout their revenue run-rates and larger deployment bases as a means of demonstrating stability. Small security vendors—particularly startups—were often left having to explain why their venture capital backers were better than competitors’ deep pockets or how their innovative technology trumped the market leader.

“You should always ask about the financial viability, but viability has more to do than what’s on the balance sheet,” says Michael Van Bruinisse, president and chief operating officer of Purewire, a SAAS (software as a service) Web filtering and security company.

Purewire launched last fall with the founder’s investment and the backing of angel investors, and it hasn’t sought venture funding. The company has garnered a lot of industry buzz because of its SAAS approach to Web security, and that has attracted the attention of investors. Innovation, he says says, is often as or more important than a company’s bottom line and financial backing.

“If you look at the history of the security industry, it was built by small, innovative guys,” says Van Bruinisse. “You haven’t seen innovation from the big guys in a long time. That’s why they’re so aggressive on acquisitions.”

Solution providers and end users have been burned by smaller vendors—regardless of economic conditions. Solution providers have been left holding the bag on support contracts and products by vendors that have flamed out of business. Often worse for solution providers is when a weak security vendor is acquired by a larger vendor and absorbed into its larger channel, where it’s often lost among the masses.

“We would have that level of inspection irrespective of the economy,” says Steven Reese, director of solutions marketing at Nexus IS, a solution provider in Valencia, Calif. “We have to look at that because of the size and the nameplates of the companies that we deal with, so the first questions are how are you funded and what is your total addressable market.”

Financial viability isn’t always the only consideration. Small vendors are often more nimble, able to make adjustments in their programs and accommodate special requests of partners more easily than their larger counterparts because they’re free of bureaucracy. Decision-making power at small vendors and startups often rests closer to the partner.

RSA’s enhancements to SecureWorld are, in part, designed to give its solution providers financial rewards and incentives for sticking with the “big guys.” Specialization, building and selling holistic products and breaking into new markets takes investment on the part of solution providers, and the program changes give solution providers the incentive to make those investments, Taylor says.

Not all big vendors are accommodating to solution providers and even incentives such as those implemented by RSA aren’t always easy to obtain. The catch solution providers often find is that smaller vendors are often willing to make deals—lower prices and higher margins—more readily than large vendors because they do want the business.

Large vendors also come with a fair amount of ambivalence, says Mark Lawson, president of VSM, a St. Louis-based solution provider specializing in emerging security technologies and vendors. The risk of working only with larger vendors is that they often care more about their own quarterly performance numbers than their partners, which causes them to think about themselves first.

“It’s OK that the small vendor has limited resources because with the RSAs and EMCs of the world I’m going to get pushed out of deals or they’re going to get nervous at the end of the quarter and eat my margins,” Lawson says. “I’m going to be more profitable with the smaller vendors.”