If you couple cybercrime with the data security threats associated with viruses, phishing and terrorism, it is no wonder security is big bucks.
Research firm IDC estimates the total security market in Australia in 2005 was worth $845 million spread across software, hardware and services. That number is expected to increase to more than $1.3 billion by 2010, says Patrik Bihammar, security and infrastructure management software analyst for IDC Australia.
Despite this growth, and reportedly good margins, some resellers and integrators have been slow to make the transition into the security space.
Slow start
There are three types of security players in the channel, says Nick Verykios, marketing director Firewall Systems, who was in attendance at CRN’s roundtable: those who are ready and hitched to security’s bandwagon, those who leave it to others because it is too hard, and those who previously invested too heavily in doing it all themselves and have now gone bust.
Some resellers are still talking about security in terms of “speeds and feeds”, because that is the language they are used to when talking about routers and switches, says Sven Radavics, A/NZ sales director for WatchGuard Technologies. “When people talk security, they need to invest a bit of time in training themselves not just in the products and technologies, but in what the real issues are for businesses. Security is moving from being a technical issue to being seen as a business issue,” he says. “Box shifters who don’t understand security but have jumped into the moshpit in search of better margins have a steep learning curve ahead of them.”
 |
| LAN's Howard: A lot of time getting partners up to speed |
LAN Systems’ national sales manager Leigh Howard, also at the roundtable, says the company spends a lot of time trying to get new partners up to speed when they come from a storage or networking background. “[They] may not understand security is very much more than just putting in a firewall for your perimeter,” he says.
In some quarters there is an attitude that if you have a security product to sell, you unpack it, strip off the shrink-wrap, install it and it does its job.
But in security that seldom yields the best outcome, says Peter McNally, Asia-Pacific’s security leader for professional services firm KPMG. “A lot of well-intentioned resellers don’t really try and identify the business profile of the organisation they’re selling to,” he says. “They go in selling product. It might be very good product, but they don’t look at how it fits in with that company.”
McNally says another challenge is major vendors like IBM, Microsoft, and HP are integrating security into existing products, and while that is helping the industry overall, it is creating fewer opportunities for specialist security providers.
“The clever ones still find gaps and develop products to fit nicely in those gaps. There’s still room for innovation in security, and this market is in much better shape than it was a few years ago,” he says.
Innovation is fine, but “baby-steps” is the cautionary message from some security players.
Computer Associates’ solutions strategist Chris Thomas says antivirus, spyware, malware, intrusion detection, and firewalls are a good starting point, because that is what a lot of SMBs are looking at in their first foray in the security space.
“Then they start talking about bigger areas like identity and access management, managing user IDs, resetting passwords. If you go the ‘big bang’ approach and try to cover everything at once, you may find yourself without the right skill sets to be able to do that properly,” Thomas says.
Training-up and hiring-in skilled staff is often a drain. David Blackman, Symantec’s director of channel sales in the Pacific region, told roundtable attendees that it is not easy to stay on top of security skills, because they are complex and ever-changing. “It’s expensive to keep your engineers trained and your sales people up to speed,” he says.
McAfee’s Asia-Pacific marketing director Allan Bell concurred with Blackman. “It takes an engineer two years to go from a base level to being a reasonable security person. Some work for 10 years and are still learning.”
Roundtable attendee and general manager at security integrator Loop Technologies Martin Bicknell says if the company put all the vendors’ training requirements into engineers, each engineer would be out of action for two to three months of the year. “That’s our biggest problem,” he says.
 |
| Secure Computing's Krieger: Security the only game in town |
“Training requirements are quite intensive. If you took all the vendors that we are partners with, it’s a long, drawn-out training process.” The catch-22 is if you do not invest in training, you risk losing staff, he says.
Some resellers and integrators have been slow to take the leap into security because when they first looked at the area, they basically saw it as a black art that was not hugely profitable.
Now things are slowly changing, says roundtable attendee and Secure Computing country manager Eric Krieger. “What security offers them is an ability to differentiate themselves.
Resellers are starting to understand the profits available in the security market. “A hell of a lot more resellers are waking up to the fact that there is money to be made there, and security is the only game in town at the moment,” Krieger says. The security market is growing faster than the overall IT market on all fronts – software, hardware and services.
Bihammar says IDC Australia is currently revising the security numbers, but in 2005 security services accounted for about 50 percent the total security market in Australia, security software 40 percent, and security hardware (threat management appliances) accounted for less than 10 percent. Bihammar says some of the fastest growing markets are expected to be unified threat management (UTM), identity and access management, security/vulnerability management software, and managed security services (MSS).
The UTM global market is expected to grow to US$2.4 billion by 2009, with a forecast CAGR of 47.9 percent from 2004 through to 2009, according to IDC.
Dominic Whitehand, managing director of distributor WhiteGold Solutions, says his company was one of the first to put forward the UTM message locally, and everybody “poopoohed” it for a couple of years.
“Now everybody is on the UTM bandwagon, but true UTM needs to be backed up with proprietary technology. Some of the UTM offerings out there say ‘We’ve got a leading UTM appliance’ but they’ve just bolted a load of OEM versions of software solutions together in a box and say ‘Here you go, it’s UTM’.”
Whitehand says that is asking for degradation of performance. “When you’re looking at enterprise accounts, that’s exactly what they don’t want to see. They want something for blended threats but they don’t want bottlenecks on the network that hold up emails and network traffic.”
UTM as a term has been hijacked, agrees WatchGuard’s Radavics. Some vendors build a very low-end firewall and throw some gateway anti-virus on it, and suddenly call it UTM, he says.
“It’s a fundamental problem, it’s misleading. A smaller end-user sees one UTM product for $110 and another UTM product for $600–$700, and there’s no real way for someone who’s not really educated in this space to tell the difference. They both say firewall, both say VPN, both say UTM and they don’t really know what it is they’re buying,” Radavics says.
UTM products are not the only security solutions that engender confusion. For some customers, security is just too hard, too expensive, and evolving too rapidly to get a handle on.
 |
| (Left to Right): Cisco's Larry Bloch, Express Data's Mal Shaw, Firewall's Nick Verykiosm DiData's Neil Campbell, McAfee's Alan Bell, LAN's Leigh Howard, Loop's Martin Bicknell, LAN 1's Robert Harkness and Secure's Eric Krieger |
The 2006 Australian computer crime and security survey released in May showed that only 10 percent of respondents thought they were managing all aspects of computer security reasonably well. Some 22 percent of respondents admitted to experiencing electronic attacks that harmed the confidentiality, integrity or availability of network data or systems in the past 12 months.
Those surveyed were from a broad cross-section of Australian industry, including private and public sector. Even some of the big banks have admitted to their IT security partners that it is cheaper to wear the losses from online fraud each year than to take extra security steps such as equipping each customer with a security key.
Krieger says two years ago, banks admitted they were losing one million dollars a month from online fraud, and recently admitted it had gone up to two million dollars a month. “There’s serious money being lost that they’re underwriting. Because their turnover is so large, they’re wearing the cost. But at what point – if it goes from $2 million per month to $10 million to $20 million per month – do they suddenly not wear it?” Krieger says.
Dimension Data’s national security practice manager Neil Campbell says it is all about risk management. Take for example the credit card system. “Credit cards suck, they’re a crappy form of security, but credit card companies and banks make so much money and charge us such high interest rates that we pre-pay our own fraud,” he says. “Overall it’s a successful system for them. IT security is the same.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
