Building a Business Model for IT Security

I’ve been involved in many discussions on IT security applications over the years, but today’s conference call with the IT Security Special Interest Group truly hit home on the business issues many channel providers face.  Many VARs and MSPs offer security applications to their clients, but could use help developing this expertise and in transitioning from a reactive focus on security to a proactive approach.

During the call, Fernando Quintero, VP of Channel Operations for McAfee and chair of the CompTIA IT Security group, outlined some of the issues facing channel providers, including their need to differentiate themselves from competitors. Just as much of the IT industry is transitioning from a strict reseller model to a solution and service model, VARs want to become the security experts for their clients. The end goal is to show customers how to mature in protecting their systems, moving them from calling when they have a breach or virus issue (reactive) to allowing them to design and implement solutions to prevent these issues from ever causing a system issue (proactive).

With some partners reselling eight to ten security solutions, consolidation to a few key vendors is another activity to consider. If a provider reduces that number to two or three comprehensive offerings, and can invest time in training and partnering with those companies, they can grow their expertise and product knowledge exponentially. Just because providers have a quantity of solutions to offer doesn’t mean holes won’t exist in their clients’ security– expertise in the topic and products is typically more important.

The rapid growth in virtualization and cloud/SaaS computing is also creating concerns for the business community, and security concerns related to these technologies need to be addressed. The CompTIA IT security community looks to develop tools and resources, possibly in conjunction with other groups in the association, to help providers address their customers’ questions and problems.

Both the strategic and tactical goals of this group will focus on helping channel providers build their IT security practices, and enhance the business with tools and best practices. Those objectives include creating technical and security business education resources, such as the upcoming video-on demand series. Training is needed to help providers educate both their employees and customers on security, as well as how to build the business around it (ensuring profitability from the expertise).

The IT Security group will expand the discussion in their breakout session during CompTIA’s Annual Members Meeting next month, particularly around the education, programs and tools channel providers need to develop a more consultative practice. The Chicago event, April 7-8 2010, is intended to build partnerships, share best practices, and address specific issues important to the association members’ businesses.