Channel treads the SMB security and storage minefield

Channel treads the SMB security and storage minefield

Market awareness

Rob O’Neill: I’d like to kick off the discussion by asking what is the best way for vendors and the channel to work together to educate the market on security and storage? Does the market need educating?

Shane Kerr: It is two very different things, because storage is just something they know they need because they keep running out of it. But security is something you have to tell them that they need, because they’re not aware of the lack of it.

Andrew Holding: Security is a bit like selling insurance. Unless somebody actually pushes it down your throat, you will think you’re okay and will survive fine without it.

Alfred Morgan-Jones: We’re actually finding security these days sells itself. The number of times we see in the press that websites are being hacked, and for instance, Twitter was recently hacked. Most of the businesses we deal with are very aware of the need and are extremely keen to have best of breed security, and it is an integral part of our selling process.

Shane Kerr: It is important that we educate our customers and advise them in many different ways about what is out happening there and what is shifting. Security, like storage, is a shifting game. The basics don’t change, but you have to align it to business needs. That does shift and each business is different, so you need to educate customers and make sure they are aware of what their requirements are. I think vendors play a good role in that, and I think we are seeing different ways of achieving that, either through seminars or campaigns.

Philip Adamson: We are very much helped by the media, aren’t we? Every security breach of any sort of significance gets sensationalised, and you can guarantee you’ll get a wave of interest if something big has happened.

Steve Martin: I don’t think Twitter was actually hacked. They were the victims of a denial of service attack.

Rob O’Neill: Conficker, at the start of this year, was one that obviously did hit some big organisations and I think we had a bit of a recurrence quite recently. People don’t actually go along cap in hand and ask for help. Do you find that that sort of stuff drives a deeper relationship with the channel?

Philip Adamson: Yes, but now we’re breaking security down even more, because there are some parts of security that are much, much easier to sell. AV [anti-virus] is just a no-brainer. Firewalls, you get a huge level of people who are prepared to just put in the router that came with their DSL connection and say, ‘that is my firewall’. That is where you have got a little bit more of a challenge. Anti-spam is getting easier and easier as volumes rise. What is getting harder now is getting decent backup solutions in, because people’s data has risen exponentially, and LTO-4 [linear tape open 4] drives are so expensive. We are suddenly finding after a couple of years of people happily buying LTO-2s that they are wanting to buy external 1.5 terabyte USB drives to put backups on there.

Pablo Garcia-Curtis: But it is the cost of an LTO-4 and putting backup exec on top of that. People say ‘for what I’m paying I can almost have a spare server for that’.

Philip Adamson: They’re buying five, one terabyte eSATA drives and just rotating them.

Steve Martin: One of the challenges that we have seen in the market is a lot of customers have some sort of security software, but it is generally not the latest one that is available to them, and most often available to them free of charge through their maintenance plan.

Because of things like Conficker, we know categorically that anybody running the current versions of our security software, Conficker, would never have touched them. But if they’re running a version that was two years or four years old, the security technology created back then wasn’t complete enough to protect against the changing threat landscape, and the way the threats have evolved so incredibly rapidly.

I am interested in your views on whether you’re seeing any challenges in continuing to keep customers up to date with the current versions of the software, versus just whatever version of security software they might have?

Pablo Garcia-Curtis: In the past 18 to 24 months we have seen a lot of people change their business, particularly around the channel, and the managed services tools have come out. We will manage those customers in some way so that we keep everything updated so they can concentrate on their business, particularly in the SMB space. Business partners see an opportunity and try to address that. They’re being advised that by maintaining the latest versions, they are minimising those risks. There is an opportunity between the channel and the vendors to work more closely, and make sure that the messaging is correct. If customers get complacent it is our job to make sure they realise what the business risks are.

Rob O’Neill: How do you make those communications, other than face to face?

Pablo Garcia-Curtis: [Softsource has] got a very strong marketing team. We are constantly advising our customers through weekly newsletters, and every month we have seminars and networking lunches so people realise vendors have a story to tell.

Shane Kerr: We have a big focus on bespoke development, but we try and cover end to end security and we understand content. One of the biggest challenges we face is people are oblivious to the scope or the breadth of the landscape. People often think of security as being about perimeter anti-virus and in their mind, they have it covered. They’re not concerned necessarily about content, and there are technical people making business decisions, so that is not a technology decision. Technology is about delivering enablement or protection, but it is not about the value or the cost or the exposure to the business, and I think that’s where the gap is. Are we communicating the right messages to the right people? If business decision makers understand the risk of exposure to the business, that then empowers the technology people to address those issues. Let’s stand back and talk to the business, and have the business tell us what they are concerned about. The finance industry, at one extreme, is probably a really good example of the business driving technology.

Rob O’Neill: How can resellers become trusted security and storage advisers among SMB customers?

Pablo Garcia-Curtis: As soon as there is an issue or there is any sort of threat, people do contact you. With those types of business, we need to become part of their team and understand their business requirements and needs and risks.

Shane Kerr: But there has been a couple of comments about people coming to us when they start to get visibility of the risk. Content for your network is a security issue, so that is a risk that the business needs to be assessing, but people won’t intuitively go looking for it until they hear about someone losing their laptop or something like that.

Legal is a really good example of a sector where there’s the need to protect intellectual property, because a lot of the smaller, more boutique firms exist by virtue of the fact that they have all got huge amounts of IP and large client bases. It is one of the really good market segments to identify that risk.

I have worked with a very small company employing 10 people. They lost one employee and I think it cost $1.4 million in the first year. They have a turnover that is extraordinary, but that amount of exposure and losing IP out of the business, that is a security issue. We think about antivirus and firewalls and malware, spam and trojans when we talk about security. We don’t necessarily talk about exposure of the business to loss of data.

Steve Martin: That sort of number is not unusual. I met with a CEO of a 200-employee company – a financial services company in Australia, and he said carte blanche, ‘we had a staff member leave us three months ago, and we think that cost us $2 million because they took their client list and took it to a competitor and actively worked the market and stole a bunch of customers’.

Philip Adamson: But you can only protect so far. If someone leaves the business they’ll have their client list in their head. A good account manager is going to be able to get in touch with their 20 top clients just from memory. If the business does not understand the risk and what they can do to mitigate that and the cost, they can’t make any firm decisions.

Rob O’Neill: Alfred, what do you see the barriers in the SMB space in terms of getting them to take security issues more seriously?

Alfred Morgan-Jones: In terms of getting the business case in, I don’t see any barriers. The management see the business case. The issues we have been having is around maintaining the operating cost. Unless we’re constantly telling them to maintain, it often lapses. So part of our challenge is making sure that we’re on top of that.

Rob O’Neill: A lot of organisations are working on reducing the operational costs aren’t they, so they can move that budget into strategic development. Is that a challenge?

Alfred Morgan-Jones: All the trends we’ve had recently is about project costs, like a complete infrastructure upgrade including the operating system, and the services are being leased.

Andrew Holding (above): That is what we’re seeing, a lot of people are prepared to pay the Symantec renewal and then when it actually comes to do the upgrade to the latest version they say ‘we’ll put that in the back pocket, because I want to spend that money upgrading all my antivirus and everything’. They will put the actual implementation side on hold and say ‘we’re okay, we’re not the best, we’re adequate.’

Shane Kerr: That is the apathy and ignorance, if it ain’t broke don’t fix it, which is very much the Kiwi way.

Andrew Holding: A lot of it is because budgets have been pre-set. You’ve got to reduce your cost, you’ve got to reduce your budget. That is why I said it is a bit like life insurance. You don’t need life insurance until somebody dies and then you say ‘I had better pay a little bit more’.

The ‘R’ word

Rob O’Neill: How has the economic downturn affected investment in storage and security?

Alfred Morgan-Jones: In storage, we have actually been hit reasonably hard. Projects which were coming on-stream for quarter two are being held back, so on some of the larger projects especially, we are having to come up with alternative ways of achieving the same result.

Rob O’Neill: Do you do much work in government, because it is going through this line by line review process at the moment, which is apparently affecting a lot of IT projects in Wellington?

Alfred Morgan-Jones: Lots and lots of projects which were absolute no-brainers are just gone. Bill English and I have got some words to speak to each other.

Steve Martin: We have seen a lot of consolidation of suppliers in the larger mid-market and enterprise space. Are you also seeing that in SMB, where they are trying to leverage their purchasing power and consolidate to fewer suppliers?

Andrew Holding: We are getting our fingers into a lot more pies because people are shopping around a lot more. They appear to entertain other vendors if something is a couple of dollars cheaper.

Shane Kerr: I think Andrew, it is something we’re seeing a bit too. They’re looking for other, cheaper options.

Andrew Holding: Our sales guys are pulling out of more opportunities at the second or third call than they actually carry through on. Presumably there are a lot of people who are just shopping around, going to one or two meetings. I usually walk away from that.

Rob O’Neill: What we are talking about in some respects is how recession-proof security and storage markets are. For example, the computer games market was touted as being recession-proof, but the news is all bad there at the moment. People suddenly stopped spending. What about in security?

Philip Adamson: People aren’t renewing their AV when they should. They think close enough is good enough. We are seeing a few people actually taking some of the storage back out onto workstations, rather than do super upgrades.

Andrew Holding: People are saying they are not going to go and buy the latest LTO-4. They say they’ll get a couple of extra discs, do a system backup onto the discs once every fortnight, and a pure data backup onto the tapes to try and make those last longer.

Steve Martin: Have you seen many people trying to solve their problem from a data perspective, consolidating data, removing data, archiving it?

Andrew Holding: When you look at the cost, a terabyte disc costs you $250. That is two and a half hours of somebody’s time. How long does it take you to go through your six-year-old files and try and work out what is valid and what is not valid? This is not worth it. We are seeing a lot of people trying to archive.

Rob O’Neill: Do you come across many people using cloud storage, or thinking about it?

Andrew Holding: It depends on the different products. We have got two, and the biggest differentiator is the data backup or system backup. A lot of the cheaper products are purely doing data backup. Code Blue has just released theirs as well, which is a data-only backup solution. It doesn’t do the whole system, so if you have got a small business client who is on it, and their server craps out, you rebuild the server and you do a brand new AV and you just bring their data back in and then you redo the security around that.

Philip Adamson: It is really important to have a system you can always rebuild. When you get an MD come to you and say my old CFO has just gone to jail and I need to look at his email – and we have had this happen – I need to look at his email because we think he did a lot of this stuff while he was still working here and he has been gone six months. Can you still do that with what you’re providing?

Pablo Garcia Curtis (above): The technology out there these days regarding virtualisation and the ability to take the physical and move it back to the virtual, it allows you to even minimise that downtime for the clients in different ways. So is there potentially a market? Absolutely. That’s an area that we have been doing for the past 12 months and been very successful at it.

Rob O’Neill: In the security and storage market, what are the pain points you are hearing from your customers, both from business and IT?

Pablo Garcia Curtis: There are probably some common messages from the financial side of the businesses, where they are worried about having that ability to continue doing business, and storage and security is obviously very topical for them. From the IT side, it is that ongoing maintenance cost and the ongoing operational cost that they have. They are probably being squeezed by the accountant, and would like to have the latest toys but know they have to be able to maximise that investment and get the best of the new software or applications that are utilising it.

Andrew Holding: The biggest thing is around cost. Smaller businesses are wondering why their backup costs are all of a sudden skyrocketing, because there is just so much data but the business isn’t growing.

Shane Kerr: The problem is that throwing storage at the problem doesn’t fix the problem, it creates a whole new set of problems. Backup is probably the biggest part of it and it is almost impossible to deliver on. I think a lot of people actually haven’t got their head around how to deal with it, and the cost is potentially huge. If you throw storage at the problem and you then throw tape at the problem you created, then you end up with something that is unmanageable and ridiculously priced.

People actually have to start thinking about their whole storage, and they’re not necessarily doing that intuitively. So they try and work out how to avoid it for as long as possible. They are just intimidated by it being in the too-hard basket. It is not like it used to be when backup windows and the SMB marketplace just wasn’t an issue. Nowadays it is about how many terabytes of information you’ve got

Andrew Holding: Also, the work window is being extended. In the old days there was five o’clock knock off, now people want access to their information until ten o’clock at night.

Shane Kerr: That is exactly how we do business. We have people in at seven o’clock in the morning, people go home at four o’clock and then start work again at seven o’clock that night and work until 10, and we are not an atypical business nowadays. People don’t want to spend an hour on the road in peak traffic, so they’ll spend it on the road at seven in the morning or four in the afternoon and then start working after hours. The backup window has become smaller, and the need and the pain point has just grown exponentially.

Alfred Morgan-Jones: Quite often, companies are keeping their hardware longer, which means it is not as quick and it is more a risk. You just can’t get space, so the risk of it really turning to custard if it breaks is higher. We are having to try and explain this to our customers and to make sure that they have a strategy in place.

Steve Martin: I think you hit the nail on the head that storage is cheap but management of storage is not. There is no point in storing anything unless you have a need to recover it at some point in time. So how do you find that information through mounds and mounds of storage? It is the ability to identify what is important and keep that, throw out what is not and retain it and find it across the long term. Those issues don’t change regardless of business cycle.

Pablo Garcia Curtis: Maybe that brings it back to the very first question around education of the different sides of the businesses, and how we communicate. You do have to have a very different conversation if it is to the board, or finance or marketing, or the IT guys about technology. I believe that is part of our role to make sure that we can advise and be sure they’re educated enough to make the right decision.

Into the clouds?

Rob O’Neill: So what are the trends in on-premise solutions versus cloud services with security?

Shane Kerr: Clouds are much easier because you can justify an LTO-4. If you are backing up three or four or 10 gigabyes, it is very easy to spend $4000 on a tape drive. That is where cloud services are really great in that SMB space – you can start giving enterprise level services, technologies and SLAs (service level agreements) at SMB prices. I think software as a service in terms of delivering that consolidation, multi-tenanting, high availability, all those kinds of really cool things that customers want, but they probably can’t afford.

Pablo Garcia-Curtis: It is cost effective today for SMBs. It is definitely something they look at and from Softsource’s perspective we’re certainly doing it. It has dramatically changed our business.

Andrew Holding: But the biggest thing for the resellers is ‘where is our clip on it’? In the old days it was quite good. If you sold a copy of anti-spam you knew you would make your margin to actually do the implementation. Nowadays if put this into the cloud, how does it affect livelihood?

Pablo Garcia Curtis: There are two conversations to have there and you’ve obviously done quite a large investment to have your own servicing cloud datacentre, which is very similar to ours. But if people know that it is local, they know who they’re dealing with, whereas that is not the case with some of the big vendors who are coming out now and providing a service.

Partnerships and training

Rob O’Neill: What kind of skills do you think vendors should recognise when certifying partners?

Shane Kerr: Well, I can jump straight into the Symantec one. I think it is important that it is relevant, and it shouldn’t be fuzzy. I get a Symantec sales certification because I can, not because it adds value, but it is perceived to. I will give value out of it, not because I’ve had the training, but because I’ve got the certificate. In a Microsoft world, becoming a Microsoft Certified Partner is I think valid because it says this person actually does have this understanding of the technology, and that is great. That I think is hugely of value, but having certification can be a little more arbitrary. I am not suggesting all of Symantec’s is. From a sales perspective I have to go and sit an online certification, and that will not actually make me more effective at selling. Mine just expired because I chose to ignore it.

Philip Adamson: A few of us are probably the same here. At renewal time for your Microsoft certification, or Symantec, or Cisco, you say, ‘I’ve got to get three of these, what are the easiest three to get’? You grab those and get it done, because it’s like going to the dentist at Microsoft renewal time.

Shane Kerr (above): Alfred would probably appreciate this. We did some stats at Maclean Computing on Cisco certification. We reckoned it cost us about $50,000 to get certified, which means we have to sell enough product to get a $50,000 increase in net profit to offset that. It was a really fine line and a huge investment.

Pablo Garcia Curtis: Are we being driven to be certified because we want the technology, or is it a financial reason?

Steve Martin: If a vendor has got a programme that says if you reach a certain status you get a cheaper buy price, you compete fairly with everybody at that same level at a reduced price, but you are able to win more aggressively against people who aren’t at the same level that you are? So is that an interesting and attractive offer?

Alfred Morgan-Jones: I thought the concept was that if the reseller has invested in the training, they will be rewarded by getting a margin so that you can cut out the guys who haven’t got a clue what they’re doing.

Steve Martin: That is the concept. The other approach we’re looking at very closely right now is taking an opportunity registration approach, on a customer by customer, opportunity by opportunity basis. If you have talked with a customer first, you have created the idea, you’re engaging the solution to register that, so that you get the preferential opportunity on that piece of business and differentiate yourself against anybody. Is that less attractive or more attractive?

Shane Kerr: One of the things that happens, it becomes a shit fight to get the registration and people ask who spoke to a customer first and added the value. It is a strange model isn’t it?

Pablo Garcia-Curtis: The way that I see it is you want to engage and help people and make sure the message is correct by engaging early and creating a pipeline, so you register and therefore you can work with that person to make sure everything follows through and it is a successful campaign. What you are trying to avoid is the drive by. We are seeing quite a lot of it from other vendors as well these days who will do a drive by.

Steve Martin: You want to reward the people that have done the work through the cycle.

Shane Kerr: Exactly. So people that are smart enough and can also infiltrate that system if they want to register opportunities, so again it is clear on the engagement.

Steve Martin: But it is very hard to register an opportunity when you don’t know about it, and the guy who has had the first conversation has gone and registered it, it might not always be the best guy.

Shane Kerr: It is your execution of it, the delivery and the pain point is actually really hard. It is hard for it to be an effective model based on the scenarios that I’ve seen. Citrix have had it before. I’ve seen registration opportunities with VMware and said, ‘how the hell did that person get to register that opportunity’? They’re not adding any value. Or the situation where it is exactly the reverse, where we’ve actually had the registration on the opportunity, and we are not the guys adding value.

Andrew Holding: I don’t think there is a perfect model, otherwise somebody would have latched onto it now. We want to invest in your product and we want some sort of financial security.

Pablo Garcia-Curtis: I think you can put all the models in place that you like, but you also have to have the people behind it and ticking all those boxes, that it is going to make us successful.

Steve Martin: And it has to be easy.

Rob O’Neill: So what are the opportunities for the security resellers before and after sales in terms of consulting and configuration? Where do you see the opportunities in the market apart from a sale of the particular project or service, or box?

Pablo Garcia-Curtis: Technology change is definitely one, and I think business improvements and business realignment would be the other way of doing it. Business needs and requirements are changing. I think in the small business area particularly, even in the mid-market, we are seeing certain individuals wearing multiple hats. How many small businesses can we walk in today and see that the general manager is also the finance guy, the sales guy, the IT guy and also the guy that makes the coffee? We need to look at the areas where we can build a partnership and allow them to continue to do what they’re best at - building their business and allowing us to do what we are best at in protecting and helping and assisting them to grow that business.

The road ahead

Rob O’Neill: What are the biggest areas of innovation in security and storage?

Shane Kerr: Storage virtualisation. If a customer needs four terabytes, they’ll go and buy one because that is actually all they need for now. I love that as a concept.

Philip Adamson: To me it is the continuous incremental backup technology that is coming through, from a disaster recovery point of view. We implemented that for AMP in the early 90s, but to see it coming of age as a storage technology, as backup technology, is brilliant.

Andrew Holding: I like the cloud stuff, the hosting side as well as the process. We can put it together at the back-end and then go and implement it on the other side. When you can just add a little bit of storage for the short term, you don’t need to pay for it long term or buy it upfront, and we can deliver that to the smaller guys. We started off as a pro-services business and got into the hosting side because that combination, to be able to spend a bit of money and be able to give that to all these different customers, is great.

Alfred Morgan-Jones: Storage virtualisation is up and coming and to be able to connect an IBM or HP or Hitachi SAN and use it as a single device is fantastic. What scares me now is de-duplication of your primary storage, not your backup, your primary storage.

Having that as your central storage mechanism, that scares the crap out of me. It will revolutionise the IT industry and will make people like EMC, HP and IBM think ooh, no.

That is why there was this huge tussle over Data Domain. The software they had in their appliance was excellent. It was absolutely the best in the industry. If you can actually de-duplicate your primary storage and make it work and keep the performance, great.

Andrew Holding: Yeah, backups are great and I think it’ll get there eventually. It is like the old days of a Dell Version 2. You could copy a file to the server and go to the next workstation and it still wasn’t there. Eventually it will come right.

Shane Kerr: Well, I hope that it doesn’t though because it is one of the barriers that worries me with any emergent technology. If it comes in fairly seamlessly you get good adoption. But if not, you actually have to convince people five years later that really it is not a heap of crap. Microsoft and security is one of the really best examples of that.

Trying to have Microsoft sell security, and Microsoft have a really good view on this, which is there is a fundamental difference between creating a product that is secure and creating a product that delivers security.

If you are looking at adoption, that actually has to go well, otherwise they’ll take another five years and I really don’t want to see that happen because it actually is relevant. We have huge challenges around the sheer volume of storage and de-duplication just eats it.

Pablo Garcia Curtis: It is not only the emerging technologies coming through, but also the way that things are being stacked all the way from your mobile phone to your PC into your mainstream datacentre, or even out to the cloud. Each one has their own type of security as well, and it also happens storage and how you look after that IP.

So as security is evolving, you are also going to have different layers of security across your organisation that you have to manage and so on, and that is also another exciting opportunity to be able to look after all the different types of security and manage those as well for the client.

Philip Adamson: We’ve actually got a situation where storage capacity is now being driven by the domestic market, rather than the business market. An average home has more requirement for storage than an average business, with your digital cameras and your MP3 players and the media centre.

You’ve all got friends who have called you and said ‘oh no, my PC has crashed out, I had all the holiday photos on it’. I have actually got to the point now where I have got a couple of terabytes of external drive that when I just happen to be going for dinner I back up to this PC.

Pablo Garcia-Curtis: Steve, where do you guys see the opportunities? Where are you getting excited about?

Steve Martin: I would encourage you all to take a strong look at our stop buying storage campaign. It actually scares a number of the hardware vendors and scares a number of the hardware-reliant resellers, but we’ve talked about de-duplication. The storage solution in our view is such a complex solution with so many aspects to it, and data de-duplication is just one.

Storage virtualisation is another. It consolidates a whole range of technologies that tackle different components of the storage explosion. So I really would encourage you to have a look at that and make your own minds up about whether the approach that Symantec is taking, adds some real value.

Because we have no vested interest in selling hardware and as a result of that, we can only get the message through to the customers that can actually find that they can stop buying spinning disc and do so much more with what they’ve got today. We’ve touched on really the consumer side of IT and the reality is there is no such thing as enterprise or SMB or consumer. For me, the real opportunities are the pioneering things we are doing at the consumer space and at the enterprise space, bringing those two components together. Taking things like de-duplication, which is still expensive, it is still enterprise level technology, and feeding those further and further down the food chain, so that we can cover more of the SMB sector and ultimately the consumer sector.

Philip Adamson: This is a little bit of a soapbox of mine, but I have been talking to Allan Maclean, Chris Simpson and Andrew Hunt, and there are a lot of us who are not cowboys. There are people in Auckland who are cowboys and I think it is really important that people like us get together and talk.

People who have been in business 18 or 13 years, or whatever it might be, who are looking after 30 or 40 clients really well. When a client comes to you and says their IT provider is crap and we find out it is Securecom, and you know they’re not cowboys, you think it’s more likely that a) the client is crap or b) I should give Andrew a call, because perhaps he just hasn’t noticed they are unhappy and that it can be fixed.

• If you would like to suggest a topic for a Reseller News roundtable, or be involved in a discussion, contact Reseller News’ editor on 09 926 9118 or email

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags storagesymantec



Show Comments