Profiting from Security: A Channel Perspective

The security market is undergoing change and if you want to ensure the future of your business, it's time to look beyond commoditized technologies to new feeding grounds.

Warren Buffett said it best: "In a chronically leaking boat, energy devoted to changing vessels is more productive than energy devoted to patching leaks."

Actually, there might be a way to improve Buffett--by asking people in leaking boats to hightail it out of there.

Little is more evocative of a sinking boat than today's market for basic security technologies. Profits from security technologies like anti-virus and firewalls just don't cut it any more, especially when, as in the last few months, the enterprise security landscape has witnessed a giant transformation with the advent of new technologies. Here's the bottom line: Making real money is no longer about anti-virus and firewalls--and if you're smart, you've already moved on to more lucrative security technologies.

If you haven't, the question is, where are these new goldmines? And what does it take to profit from them?

The Slow Decline

At Mumbai-based MIEL e-Security, director Anuj Gupta, has been noticing a trend. Anti-virus (AV) and unified threat management (UTM), which used to contribute 65 percent to the firm's security revenues, had now fallen to less than half--about 30 percent. "UTM and AV had become commodities, resulting in a dirty price war," he says.

From a channel partner's perspective, the sale of more commoditized security products doesn't make a great deal of sense. The value of products like AV and UTM are shrinking by the day, given the number of foot soldiers needed to support customers. "Both pre and post sales support, and doing POCs, started to make less business sense," says Gupta.

So MIEL e-Security, which derives over 40 percent of its revenues from security, began to focus its sights on richer feeding grounds. Last year, director Gupta formed a separate division called 'Emerging Technologies Services' that focuses primarily on new security areas including DLP, SIEM, database security and cyber security for SCADA systems. (To see demand for DLP solutions, read DLP in High Demand)

Today, the new division is 30-strong and has been extensively cross-trained on new technologies, says Gupta. And it's beginning to makes its presence felt in the market with the acquisition of marquee customers. But with investments in expensive resources and a well-defined roadmap, it will take time to nourish, says Gupta.

MIEL e-Security isn't the only one seeing lower value from basic security technologies. So is ACPL Systems, a Delhi-based firm that specializes in security. "There's enough market pull for (for AV and UTM) to boost your top lines, but margins have shrunk. In no way do they contribute anything to the bottom line," says CEO Vishal Bindra.

Prabhakar S., CEO, Esteem Infotech, a security-focused company in Bangalore, is less forgiving. "A two-digit profit for an AV solution priced at Rs 200 will not help your top line or bottom-line," he says.

Down in Chennai, N.K. Mehta, CEO and MD of Secure Network Solutions, is also seeing signs of that dirty price war Gupta refers to. "UTM is a price-sensitive market because there are so many vendors," he says. Neither is his company banking on AV to bring the bacon home. "We don't position it as a standalone and only implement it if it is part of gateway-level deal," says Mehta.

Part of the problem is that the impressive amount of competition in the market for basic security technologies forces partners to undercut prices, which erodes profitability. "AV is not a high margin business," says Nilesh Kuvadia, MD of Baroda-based ITCG Solutions.

That said, it will be some time before channel players give up on these products. At Chennai-based Digital Track Solutions, for example, UTM and AV still contribute the lion's share to the company's security kitty.

Even Kuvadia who believes that AV is not a "high margin business" says, "AV is an evergreen product which will be in demand as threats from various corners emerge."

Others like Vipul Datta, CEO of Delhi-headquarted Futuresoft Solutions, which made Rs 50 crore in 2011-2012, refute the idea that security products like UTM will go out of fashion. In fact, he believes that demand for UTM from enterprises will only grow over the next three to four years. "End user service organizations are looking into tier-II and tier-III cities. UTM is a single box that gives 80 percent functionality and can be managed remotely. The cost of ownership and support is very low from an enterprise perspective," he says.

If you're getting a sense of wistfulness, an unwillingness to give up on basic security technologies from channel partners, you aren't far from the truth. That feeling is strong among companies like ACPL Systems. On the one hand CEO Bindra says he doesn't understand why margins for AV should be so low since "it is a high-service business. AV is becoming more complex as one needs to know about malware, different OSes, the internal Windows network, and many more things."

Yet, on the other hand he has seen revenues from AV slip. Five years ago, anti-virus made up 80 percent of ACPL's revenues. Today, that's fallen to 10 percent. "It's sad," he says. "Dwindling margins on run-rate and basic solutions have forced us to drift towards database security, DLP, IPS, and Web security. Today, we'd rather drive up the tech curve fast than compete with hordes of partners."

Bindra is among a small band of channel partners who have begun to de-risk their security businesses by broadening into new, more profitable areas. It's hard to find fault with the strategy if you go by the numbers. According to the Indian Information Security Survey 2012--one of the largest if not the largest security survey in the world--security budgets of the organizations across industries and revenue sizes are showing a definite shift towards newer technologies and technology trends including cloud computing, BYOD (bring your own device), social media, and data security. (Read full survey on page 28).

At MIEL e-Security, Gupta is seeing even more opportunities. "Websense DLP has good services revenues," says Gupta. "SCADA security is complex but we are a niche practice and are building a security consultancy with a 360-degree approach to it. SIEM (security information, and event management), privileged identity management and IRM (information risk management) are other technologies in demand which form part of the new group. Besides McAfee Sentrigo, we are evaluating other vendors for database security."

There's an added benefit to floating towards non-basic solutions: It opens up your market. "We are now building security practices with which we can go global," says Gupta. "We are undertaking assignments outside India with Websense DLP," he says.

Data is the Key

Over the past few years, organizations have traversed the security gamut starting from network security, through Web security and application security, and now to data security. The growing focus on data is apparent from the 73 percent of Indian organizations who say they will increase investments in data protection enhancement during the coming year, according to Indian Information Security Survey 2012. That's a development Prabhakar from Esteem Infotech was tracking for a while before he decided to get into the data security game. Four years ago, the Bangalore-based company moved to DLP, encryption and application control. "Though customers were conservative, we foresaw the best opportunity with these new technologies," says Prabhakar. Two years ago, the company deployed 20,000 licenses of McAfee Application Control for Mphasis' offices across the globe. And today, DLP and encryption contribute to over 40 percent of the Rs 11 crore in revenues it made in the last financial year, says Prabhakar.

Esteem Infotech is definitely an early-mover. But if you missed that first boat, don't worry, it still isn't too late. According to the survey, over 72 percent of Indian organizations plan to implement DLP as a way to protect data in next 12 months.

This sharpening focus on data security is a transition channel partners are beginning to see among their customers. "They (CIOs) cannot control what happens in the network but what's happening to the data is their concern, says ACPL's Bindra. Earlier, he says, HR and business development managers weren't really interested in application or network security. But, now, more data is being owned by company stakeholders and others. "When we talk of DLP, DRM (digital rights management), and BYOD, these groups are much more involved," he says.

Not all channel partners are seeing the same migration to data security, though. "DLP, and the cloud is fine for big enterprises." says Mehta from Secure Network Solutions in Chennai. Focused primarily on SMBs, the company, made Rs 15 crore last financial, hasn't seen a swap between orders for gateway security or UTM and the cloud or DLP. "Customers want DLP but they are not sure if they want it at the gateway or at the desktop level. DLP is a wide open ocean. That said, gateway DLP is showing some demand," he says.

Thanks to Wikileaks, there is a growing awareness of data security--and the importance of data availability solutions--even among small business units, says Sudhir Kothari, CEO and MD, Embee Software. "We talk to customers about the ROI of solutions like IRM, DLP, and high availability solutions, which gives us maximum return and loyalty among customers," he says.

Sales Cycle Tradeoff

Shrinking demand for AV, UTM and firewall products is only one reason that channel partners are gravitating towards higher-end security technologies. Here's the other: The latter offers fatter margins. Many of the firms deploying technologies like DLP tend to have a bottom-line focus, not a top line one.

"Security margins were at decent double-digit levels a few years ago as low-end margins among other software products drove most SIs to drift towards security. Partners make decent margins from services in DLP, SIEM or technologies which demands skilled manpower and technical competency," says says Harish Tyagi, CEO, Taarak India. All of the firm's business, including services and consulting expertise, comes from security.

But as enticing as it is to fatten the bottom line by pushing new technologies, it takes planning and a willingness to accommodate tradeoffs. "You need to prepare accordingly and you need to do it before you go back to your customer," says ACPL's Bindra. "Web applications, firewalls, DLP, IRM all have a direct impact on business as their implementation cycles are longer," says Bindra.

That's a sentiment that S.T. Muneer Ahamed, MD, Digital Track Solutions echoes. At the network security and storage solution company, Ahamed says they've noticed that overall margins of new technologies are better than basic security technologies, but sales cycles are longer.

Some of that extra margin comes from the fact that customers also see security products like AV, firewalls, and UTM as commodities--but not so technologies like DLP. "Many customers expect free implementations of AV and firewalls," says Prabhakar at Esteem Infotech. "However, they are willing to pay a premium for a professional implementation. After we complete a DLP project, for instance, we have documentation that goes into 70 to 80 pages, and we also provide training to the employees of our customer," he says. Esteem Infotech caters to customers for DLP, encryption, and application control with a minimum of 501 end points.

The margins that qualified partners expected is justified, says Bindra, since security is an industry where skilled manpower and consulting services come at a premium. His company, for example, recently won three DLP orders in the span of a month--orders that were sold by other partners who could not implement or showcase the value of the technology.

"It is no more a plain vanilla sell," agrees Prabhakar.

It's even less of a plain vanilla sell if you're pitching to SMBs. But it's a strategy with an upside. Security consulting services which are tailored to customer demands is a big differentiator for SMBs, says Mehta at Secure Network Solutions. "If a customer wants the ability to replace an appliance within a couple of hours, that's something no vendor can accomplish. So we charge a premium," he says. "Many customers who have bought solutions from other partners approach us after a year for services. Services (including consultancy) have doubled in the past year and we see the same this year too," he says.

"If you're selling to the SMB segment, it is especially important to understand that strategy's impact on your sales cycle. The sales cycle for SMB and the mid-market is usually one to two months compared to three to four months for the enterprise market and this affects margins," says Tyagi of Taarak India.

Profiting from the Cloud

According to the Indian Information Security Survey 2012, a majority of Indian business and IT leaders (52 percent) say that cloud computing represents the top security risk for their organizations. Only 16 percent say their security posture has gotten better after their companies moved to the cloud. (To see demand for way to secure the cloud, read Cloud Computing: Heating Up). Any way you look at it, this creates a sizeable business opportunity for partners who can demonstrate that they know their way around the cloud.

Gupta's MIEL e-Security is one of those that has moved quickly on the opportunity. Last year, the company launched a cloud-based, end-point compliance product it calls MEDS. The in-house solution is targeted at the mid-market and enterprises and already has over 35 customers, says Gupta. They've also taken the product to the Middle East and other countries. Now, he is onto his second cloud project. "We are evaluating e-mail archival solutions over the cloud with Symantec Messagelabs," he says.

Other companies, however, are having a harder time profiting from the cloud. Although Chennai-based Digital Track Solutions has over a decade of experience in the security market and is aggressively encouraging its customers to go cloud, it's a challenge to find new customers, says managing director Ahamed. But he isn't throwing the towel in yet. "Customers are confident in our cloud pitch and, more importantly, the security around it," he says. To help drive sales the company has created a strategy in which senior sales people up sell DLP and the cloud to existing accounts, while new recruits have to pitch these technologies to new accounts.

At Esteem Infotech, Prabhakar isn't wasting any time ramping up to the potential of the cloud. "We are geared to graduate to cloud security in next six months," he says. "Many partners who ventured earlier have made good money. If we do not get aggressive on it, then we will lose a big opportunity."

Prabhakar isn't the only one who wants some of that first-mover advantage sweetness. "We face less competition as DLP and cloud computing is still relatively a niche solution," says Ahamed. "There is great support from OEMs to sell these products including lots of training."

Even Datta at Futuresoft Solutions, who says his focus is to help his customers as they consolidate their architecture--and not necessarily drive emerging technologies like DLP, GRC, and cloud computing--says there's money to be made from the cloud. "Large enterprises will not shift quickly to the cloud. But distributed organizations (with less than 20 users) are exploring cloud-based services mainly in the FMCG, financial, and hospitality sectors," he says.

BYOD and More

BYOD is another definite trend according to the Indian Information Security Survey 2012. This fact is evident from the number of organizations putting policies in place to secure smart phones and tablets. Over 46 percent of Indian enterprises say they are making mobile device malware detection a top priority in the next 12 months. Another 66 percent say their companies are slated to increase spending on securing mobile devices. (To see demand ways to secure BYOD strategies, read BYOD: The Next Big Thing)

Some of those plans are already translating into business for channel partners. "We are focusing heavily on securing mobile devices in large enterprises and we have some good wins with Symantec solutions," says Datta. His company, Futuresoft, he adds, has changed its whole approach, making content management the large story, a story that covers content protection and content lifecycle management.

The security market that caters to BYOD is still immature. And, therein lies a chance for channel players who want to be seen as forerunners and, by extension, experts. "Close to 90 percent of applications cannot be ported on devices because of 'dis-fragmented' solutions. There is no comprehensive solution in the market that can cover the length and breadth of BYOD," says Gupta at MIEL e-Security. That isn't stopping, however, him dipping into the pool. Mobile device management (MDM) will soon be part of the 'Emerging Technologies Services' group, he says.

The lack of maturity in the market also makes this a perfect time for talented channel partners to be seen as thought leaders--and therefore offer consultancy services. "It is no rocket science to implement the technology but the thought processes and HR policies have to be in place for an enterprise," says Bindra of ACPL Systems.

Kuvadia at Baroda-based ITCG Solutions says they have initiated BYOD projects with a few customers and reports that security is a challenge. He also says that security enhancements in tier-II and tier-III cities are slower than in metros.

Authentication and IRM is another emerging opportunity, one that Digital Track Solutions has already latched onto by tying up with ArrayShield and other vendors. "Hopefully, we'll get an early bird advantage," says Ahamed.

Mehta at Secure Network Solutions in Chennai says he sees rising demand in logging and reporting thanks mainly to compliance.

In the meanwhile, back at MIEL e-Security, Gupta says that between 15 and 20 percent of the company's security revenues are already coming from the 'Emerging Technologies Services' division. "It will contribute over 50 percent in next couple of years," he predicts.

This isn't a boat he's going to miss.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Yogesh Gupta

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts