Four years ago a well-known security vendor undertook a successful advertising campaign for one of its core B2B products using the slogan ‘See it. Control it. Protect it'. A quick visit to the same vendor's website today finds that that bold and impactful statement is no longer anywhere to be seen in conjunction with the product in question. In its place is the rather less strident strapline ‘Agile cybersecurity for businesses of any size'. Considering the two phrases are intended to encapsulate the same product, the difference in tone could hardly be more stark.
So, what's changed?
Whatever it is, the first thing to note is that it has seemingly changed for everyone; examining the company mottos of other major security brands reveals a similar absence of conviction and absoluteness. Examples include ‘security made simple', ‘together is power' and, perhaps most tellingly, ‘keeps you one step ahead'. Considering that these are all companies entrusted with the task of protecting their customers' most valuable assets - and, indeed, their very existence -the lack of certitude could seem a little surprising.
But, then again, perhaps not. In the last few years the IT landscape - and the wider global climate - has increasingly come to feel like a world in which little is certain, and nothing is safe. Huge multinational corporations are regularly breached, as are the highest levels of government in major nations. Meanwhile terms like ‘ethical hacker' are no longer oxymoronic, and many security specialists openly trade on their ability to catch and attackers only once they have successfully broken through, and not before.
Meanwhile as-a-service models have revolutionised the way IT is provided and consumed. For end users, the key benefits are clear: a huge reduction in capital expense; and round-the-clock access to a level of expertise they could never hope to recreate in house. But the managed services model comes with some stiff challenges for VARs whose cashflow has always been maintained by upfront product revenues and generous rebates.
Not to mention channel salespeople used to selling big projects that come with equally hefty commission payments. And perhaps most challenging of all is the task facing marketing teams trying to promote security in such an obviously unsecure environment.
However successful they have been in the past, the old sales and marketing tools of the channel - and the individuals that provide them - need to evolve, and quickly. But the process need not be a painful or puzzling one, if a few principles are observed.
The old saying has it that salespeople are coin-operated. While most modern sales professionals would baulk at such a reductive characterisation, not many would deny there is a fairly sizeable grain of truth in the statement. Certainly there are few, if any professions, where reward is so relentlessly coupled to performance.
And the best performers are, typically, happy to work within a reward structure that takes that symbiosis to an extreme. The sales director of a security channel player once told me that, in an ideal world, he would work for a salary made up of five per cent basic and 95 per cent commission - and that he looked to recruit staff who felt the same way.
That may be a radical and unrealistic example, but the fact remains that commission is a major part of how all salespeople make a living. And, if they want to be successful, managed security services providers (MSSPs) need to make sure their sales force is incentivised effectively and geared up to sell.
Ten to 15 years ago the equation for security resellers and their frontline commercial staff was simple: the bigger the sale, the bigger the reward - with everything paid upfront. A large project booked by a salesperson in one month could mean a healthy commission payment in the next. This simple model clearly benefited both VARs and their employees, with both parties profiting financially.
Nowadays the proposition is far trickier. A salesperson earning 10 per cent commission that closes a £20,000 on-premise licensing and hardware deal can, clearly, expect extra earnings of £2,000 in their next pay packet. If the same deal is converted to a two-year managed services contract in which the customer pays monthly, the salesperson will - in theory at least - see an increase of just £83.33 in their next paycheque.
This creates a clear conflict of interest between companies wanting to offer managed security services and the people they are employing to sell them. If a salesperson enjoys far more - or at least far quicker - financial benefit from selling product than from selling an equivalent amount of services, then what incentive is there for them to direct their accounts away from the former and towards the latter?
Depending on how quickly and to what extent companies want to move their business towards as-a-service models of delivery, they must ensure that sales staff are just as well incentivised and compensated - if not considerably more so - for selling services as they are for selling product. This could mean offering commission on something resembling a leasing model, with channel firms covering the cost of upfront payment, and recouping the expense in monthly chunks.
This system not only allows salespeople to enjoy the same rewards they are likely used to, but also gives their employer an extra slice of predictable recurring revenue. What is more, it is easy to build flexibility into this model, and make it even more employee-focused by offering a range of compensation options allowing them to choose whether they receive payment on a monthly, quarterly, or biannual basis.
But selling services successfully is not merely a matter of changing how you pay your staff, and letting them get on with it. The sale itself is a far different proposition, requiring new skills and approaches.
In the early days of mainstream internet adoption, selling content and network security was a simpler proposition. Threats - and the people and entities behind them - were far less sophisticated, and antivirus vendors and their channel partners could, effectively, promise customers that they could erect an impenetrable wall around their organisation's IT estate. Sales were almost certainly signed off by IT managers whose chief concern was technical fortitude. So long as the technology came with the assurance of an industry-leading detection rate, money - within reason - was a lesser concern.
Nowadays, the pitch needs to be a great deal broader. In all areas of IT, impressive-sounding technical specs are no longer enough to seal the deal. And nowhere is this more true than in the world of security, where the limitations of the technology can make global headlines.
And that is without factoring in the move from selling a product to selling a service. Selling machine learning and software engineering expertise - not to mention a contractual engagement and ongoing relationship that could extend a number of years into the future - requires a more consultative sell. Not to mention the skill to sell on ‘soft' benefits such as productivity gains and the prevention of reputational damage, and the patience to stay the course of a longer sales cycle.
Channel firms wishing to evolve into MSSPs need to ensure they have the right sales skills to prosper in the new world of managed security. This will, at the very least, involve investing in training incumbent staff. In most cases it will also require hiring experienced services-focused sales staff to help set the tone.
Marketers, meanwhile, also need to develop different approaches and cultivate new skills. The key function of the IT security industry has shifted from ‘protect' to ‘detect and mitigate'. It would be easy for end users to construe this as a concession on the part of the security industry, and demonstrable ground gained on the part of the attackers.
It is important that the marketing professionals ensure that this notion is swiftly and decisively disabused. Because the reality is that, in the MSSP world, the IT security industry is more on the attack than ever before.
With the move to proactive monitoring and threat intelligence - which only comes with true managed service - the focus has changed from simply putting up a barrier to keep threats out, to actively and aggressively pursuing each breach and its perpetrator. Not only to remove the threat, but to identify and isolate it, and to mine as much information from it as possible, so as to combat other attacks better.
It is of crucial importance that channel marketing teams are completely candid in acknowledging the huge challenges facing IT security providers and their customers: the new-found sophistication of the threat landscape; the increased attack surface; and the fact that security technology sometimes has to play catch-up to emerging forms and methods of attack. But, alongside this, it is key that they paint a detailed picture of how managed security services allows MSSPs to fight threats in a far more proactive and combative way than ever before. Or, put another way: attack is the best form of defence.
For more information about how SolarWinds MSP can help managed services providers, click here