Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Here’s an interesting paradox: Solution providers say security systems are the most profitable products and services to sell but are among the least exciting technologies in the market today.

According to the Channel Insider 2008 Channel Outlook survey, 29 percent of all solution providers and 33 percent of fast-growth solution providers say security is the most profitable technology. When asked about exciting technologies, security ranked in the middle of the pack among total and fast-growth solution providers.

What makes these statistics even more interesting is what technical attributes solution providers look for in acquisition targets – security rates second on the list just behind application-development skills.

How can security technologies simultaneously rank among the most profitable and the most mundane? Security is supposed to be exciting; fighting the dark lords of the digital underground is the stuff of thriller movies and TV cop shows. The truth is security is actually pretty mundane, and businesses—and, by extension, their solution providers—are focusing on the mundane: perimeter security.

The “Security Perceptions vs. Reality” survey conducted by Baseline (another Ziff Davis Enterprise publication), businesses ranging from large enterprise to small organizations devote most of their current and future security investments in perimeter technologies. Topping the lists are firewalls, antivirus software, antispyware security, e-mail security and wireless security.

The good news is these technologies are working well for the threats and risks they counter. The survey found that businesses are suffering fewer and lower losses to perimeter-focused hacks and malware infections. More than half of the businesses participating in the survey say their losses to these common security threats last year were less than $25,000.

The problem is businesses’ security priorities are out of alignment with their threat perceptions. Only 24 percent of respondents are concerned about external network and data breaches. While one-third of businesses are kept awake at night by the threat of internal user privacy violations and theft mobile devices. One in five participants are worried by the threat of internal data theft and the theft or loss of portable media.

Businesses are buying emerging and advance security solutions, such as data loss prevention, automated encryption and network access control suites. But the adoption of technologies that actually address their most pressing security threats is happening at a much slower pace than conventional and commoditized technologies.

There are many explanations for this security paradox. Here’s a few to consider:

  • Conventional perimeter security technology is a necessity. There’s no getting around having to buy a firewall.
  • Perimeter security is well understood, therefore easier to justify in a corporate budget.
  • Perimeter security is doing the job it’s designed its designed to do and needs to be maintained.
  • License renewals and maintenance fees for perimeter security are soaking up dollars that could go to products that counter emerging risks.
  • Emerging and advanced security remains unproven, and businesses are waiting for them to mature.
  • Security, in general, is still being sold as products rather than integrated systems where the most dollars are going to the most recognizable and understood technologies.
  • There’s a fundamental absence of risk management and risk mitigation strategies.

Much of this spells a need for better risk management and risk mitigation strategies on both the client and solution provider side of the security equation. Solution providers should take a harder look at their clients’ operations and risk exposures, and apply the most appropriate mix of security technologies that address the aggregated risk.

There is no denying the need for firewalls, but they’re not a blanket answer for all threats and risks. And not every business needs data loss prevention solutions. But only through proper risk management strategies will solution providers determine their clients’ true security needs. By addressing specific security concerns, solution providers deliver more value to their clients and build even stronger binds as their trusted advisor and partner to their customers.

So before you sell yet another firewall, take a second look at your customers’ operations and risk exposure. You may find more opportunity beyond that easy sale.

Lawrence M. Walsh is the vice president and group publisher of Channel Insider. You can reach him at