Distributors and Cybersecurity - Arrow Magazine - Arrow Electronics

41 downloads 220 Views 9MB Size Report
more complex solutions come to market. ... In addition, getting cybersecurity solutions to market is not without its ...
Distributors and Cybersecurity Forging New Partnerships, Strategies to Tackle Today’s Advanced Threat Landscape

GTDC

GLOBAL TECHNOLOGY DISTRIBUTION COUNCIL

About this Report

Quick Links

CommCentric Solutions, a channel-focused research and communications firm, produced this report based on an exclusive cybersecurity-related survey of GTDC distribution members, as well as in-depth, related interviews with leading channel executives from distributors, market analysts and IT security vendors. CommCentric’s knowledge base and focus areas cover all dimensions of the channel community, from technology vendors and solution providers to distribution business models. The company’s research practice is led by Scott Campbell, a veteran channel reporter with more than 20 years of related experience, including at CRN, the industry’s leading trade magazine.

Distributors Doing What Distributors Do Best . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 It’s a Cyber World and We Need to Protect It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Establishing New Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Overcoming Misconceptions, Simplifying Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Endpoint is the New Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 More Education is Critical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Cloud is Coming, But On-Premise Still King . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

www.commcentric.com (813) 876-0414 [email protected]

GTDC

GLOBAL TECHNOLOGY DISTRIBUTION COUNCIL

Whither Physical Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Cultivating New Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

www.gtdc.org (813) 412-1148 [email protected]

2

3

Cyber Success: Distributors’ Security Business Accelerates with New Relationships, Innovative Approaches

From high-profile cyberattacks of major corporations to alleged hacking of government elections and agencies, cybersecurity is at the front and center of almost every aspect of the information technology industry these days. As we evolve further into a digital world, how we protect information will become even more vital — so do the tools and programs we use to make sure security technologies are sold and deployed in the most effective way. Distributors, often viewed as innovative drivers of new technologies to market, have an increasingly crucial role in how cybersecurity solutions are deployed to customers. By vetting new vendors, bundling disparate security products into complete solutions and enabling partners to become trusted security experts in the market, distribution is increasingly seen as a catalyst for cybersecurity by both vendors and solution providers. That trend is evident by the increasing number of security companies interested in distribution. According to a new study by CommCentric Solutions on behalf of the GTDC, distribution leaders say that security companies are more interested in establishing distribution relationships than vendors in other technologies. 1. Network Security TOP

3

Cybersecurity Focus Areas in Distribution

2. Cybersecurity 3. Mobile Security

The survey also reveals that distributors believe complex cybersecurity solutions tackling GTDC Distributor Survey – Cybersecurity, August 2017 ransomware and other advanced threats have the highest-growth revenue potential for their business, tied with network security. In addition, getting cybersecurity solutions to market is not without its challenges. The study also finds that distributors think many solution providers aren’t equipped to adequately sell security solutions. But therein lies the opportunity — distributors have invested in security-focused business groups aimed at enabling new vendors and new partners to provide end customers with as much protection as possible.

Distributors Doing What Distributors Do Best Benjamin Franklin once wrote, “…in this world nothing can be said to be certain, except death and taxes.” However, if the Founding Father were alive today, he might add IT security threats to the list. It’s been estimated that hundreds of thousands of new variants of malware are introduced every day. Security vendors do their best to keep up, but they also must rely on many thousands of partners to ensure their solutions, patches and updates are correctly dispersed down to customers. 4

Over the last 30 years, distributors have developed, tweaked and transformed their business models to effectively manage such functions, ensuring timely response to market, as well as the training and support necessary to facilitate a smooth customer experience. As security needs increase due to changing consumption models, threat vectors and the proliferation of non-traditional devices connecting to networks, vendors need to rely even more on distributors, according to Erick Foy, director of distribution and SMB channel sales, at Symantec. “Distributors bring huge benefits, scaling our business in the unmanaged partner segment. Utilizing their reach gives us the ability to communicate and sell our offerings, accelerating growth and market share,” Foy said. “This will always be an ongoing opportunity for distribution in our business. Our solutions touch all segment and verticals and constant enablement is required to ensure our channel ecosystem is properly trained and equipped.” Symantec has a long history with distribution and those relationships will only grow stronger going forward, Foy said. “Security requirements, especially in the cloud, are often dynamic, very complex and require a level of integration that is difficult for channel partners to do on their own,” he said. “Partnering with strategic distributors with a comprehensive security practice that can support an integrated platform will become key for our channel partners to be successful.”

It’s a Cyber World and We Need to Protect It For the last several years, network security has been a boon to distributors, vendors and VARs, but that is changing, according to executives, as advanced threats become more prevalent and more complex solutions come to market. As mentioned above, survey respondents ranked the revenue growth prospect of cybersecurity solutions equal to that of network security, indicative of the changing nature of the market. Mobile security was a distant third, followed by PC security and physical security/surveillance. Meanwhile, distributors also said malware and ransomware creators developing new ways of evading existing security solutions will have the biggest impact on their cybersecurity business. Businesses and organizations not having enough budget for IT security solutions was second.

Biggest Impacts on IT Security Market Malware and ransomware are developing new ways to evade existing security solutions Businesses and organizations don’t have enough budget allocated for IT security GTDC Distributor Survey – Cybersecurity, August 2017

“High-profile headlines around ransomware and cyberattacks are raising awareness and driving demand for more robust, relentless and real time IT security solutions and managed IT services through the channel,” said Eric Kohl, vice president, Networking & Security, Advanced Solutions at Ingram Micro.

5

Alex Ryals, vice president, Security, Americas at Tech Data’s Security and Networking solutions business unit agrees, noting that relationships with cybersecurity vendors will only rise as stories about security vulnerabilities in non-traditional devices continue to occur, such as vending machines and aquariums getting compromised. “It creates major problems for IT as hackers get more creative and more successful,” Ryals said. For example, endpoint technology can no longer rely solely on signature-based detection and must rely on new protection methods to minimize risk, said Tech Data’s Ryals. “Now we’re transforming to behavior-based analytics and cognitive-based technologies,” he said.

Establishing New Partnerships The good news is that a growing number of cybersecurity vendors are eager to leverage distributors to reach a wider swath of customers through solution providers, executives said. As mentioned earlier, 75% of distribution respondents surveyed noted IT security vendors are more interested in new distribution/channel relationships today than vendors from other technology areas.

75% of distributors cited security solutions as the most active category for new partnerships. GTDC Distributor Survey – Cybersecurity, August 2017

“Specifically, emerging vendors have been recognizing the value of existing distributor/reseller relationships as a means to fuel their growth, since their solutions are often complementary to security solutions already supported by the reseller,” said Kirk Nesbit, vice president of design and support services at SYNNEX. “Furthermore many security vendors have modest technical resources to support pre-sale activities, and IT security is almost always a services-led sales process. Distribution is one of the key ways to cost-effectively help security vendors scale their businesses.”

Ingram Micro’s Kohl agrees that more security vendors are interested in distribution — but finds many don’t fully understand or leverage the value that distribution brings. Distributors can provide continuous education and training for MSPs and MSSPs, as well as their customers, which is critical because of the constant evolution of threats, he cites. “There is still work to do with some of the emerging vendors,” Kohl said. “Distributors can absolutely help channel partners take advantage of everything that security vendors have to offer, including new specializations, programs and certifications.” Michael Diamond, industry analyst, Channels & Enterprise Technologies, at The NPD Group, said security vendors, particularly newer companies, simply don’t have the reach or flexibility to touch all market segments as quickly as the channel can — particularly SMB clients. Any specific vertical market is made up of numerous sub-markets, all which are better served by distributors and solution providers, Diamond added. “As much as Fortune 1000 or 500 is the juicy part of the orchard for vendors, markets such as healthcare have thousands of dentists, physicians and more that need to be protected,” Diamond said. “We say that verticals such as healthcare (e.g., Hospitals) are important but really

6

it’s the sub-verticals like dentists, podiatrists, ophthalmologists, etc., that are key. Distributors are masters at enabling the reseller in helping vendors reach those highly fragmented markets.” In addition, Diamond mentioned that distributors have the unique capabilities of pairing industry-specific security needs with partners selling the appropriate complementary hardware and software used by those industries.

“We say that verticals such as healthcare (e.g., Hospitals) are important, but really it’s sub-verticals like dentists, podiatrists, ophthalmologists, etc., that are key.” — Michael Diamond, The NPD Group

“Security vendors will offer specific solutions that are going to resonate more in some of these verticals due to government legislation and the information they need to protect. Thus, it is easy for a distributor to mine their robust customer database and find those resellers that are selling into those markets and drive demand on behalf of that vendor.”

Overcoming Misconceptions, Simplifying Complexity One primary misconception that start-up security vendors (or anyone thinking of distribution for the first time) have is that IT distributors don’t provide services, said Matt Rochford, vice president of the Cybersecurity Group within Arrow Electronics’ Enterprise Computing Solutions (ECS) business, recalling one recent conversation with a new vendor that thought Arrow was simply “the bank and the barn.” “They only saw us as warehousing product, providing credit and processing orders. That’s not where we’re at. We are a solutions aggregation community,” he said. Distributors spend a great deal of time educating vendors, demonstrating value around solutions integration, financial programs, delivering cloud-based consumption products and enabling the channel to be extensions of the vendors’ selling arm, he added. Rochford estimated there are more than 1,300 security vendors in the market, and his company carries less than 10% of those. “There’s a large number of vendors in start-up mode with investors and they want to know how to get to market through a channel. They look for us to guide them, to share best practices. That’s an extremely common conversation,” he said. In contrast, vendors insisting on a direct sales model tend to be those that offer simpler, lower cost product offerings, said Mike Rogers, CEO at Tarsus SecureData, a South Africabased business unit of GTDC member Tarsus Group.

“There’s a large number of vendors in start-up mode with investors and they want to know how to get to market through a channel. That’s an extremely common conversation.” — Matt Rochford, Arrow Electronics

“The criticality of solutions, as well as the complexity and rapid changes in cybersecurity technology, drive the need for specific skills to support a broad channel,” Rogers said. “Those are skills that are best enabled through distributors. We have the programs, reach and experience to do so.”

7

Endpoint is the New Perimeter Endpoint security in particular has become critical to cyber protection, as more non-traditional devices connect to the network, said Carol Giles Neslund, vice president and general manager of Westcon-Comstor’s Security Practice, recently acquired by SYNNEX. Indeed, the focus on endpoints has come full circle, especially as new types of endpoints including phones, tablets and IoT sensors have exponentially increased the number of devices touching the network, she said.

Solution Providers Need Help

A Vast Majority

of distributors say solution providers

don’t have the expertise/skills to properly sell security

GTDC Distributor Survey – Cybersecurity, August 2017

“It’s such a powerful attack vector. The sophistication of phishing and spear phishing has increased and there’s such a human element involved that the endpoint becomes critical to secure,” Neslund said. “That said, I think we could also see new innovations in the firewall space.”

Likewise, a small percentage of Arrow’s solution providers have a solid security practice, said Rochford. “The reality is that most are selling security products, not solutions. There’s a big chasm between those that are truly going in as security consultants and those that are reselling,” Rochford said. “Vendors absolutely are looking for us to enable those partners. That’s a core element of our value proposition. It takes time, but we bring operational efficiencies to market that help them enable partners better and more quickly.” Adds Symantec’s Foy, “Training will always be an ongoing opportunity for distribution in our business. Because our solutions touch virtually all segment and verticals, there is a constant, continuous need to ensure our channel ecosystem is properly trained and equipped.” Part of the problem is finding security experts to keep on staff, said SYNNEX’s Nesbit, who notes that there will be an estimated shortage of 1.5 million IT security professionals by 2020, according to Frost & Sullivan. “These professionals tend to be among the most difficult and expensive resources to find. IT security readiness and compliance are often readily addressed by project-based services, and we have aligned a deep bench to help with this,” he said.

More Education is Critical

Cloud is Coming, But On-Premise Still King

About 75% of distributors surveyed said solution providers don’t possess the expertise or skills to properly sell IT security, inferring that there’s a lot of work to be done to enable more partners to become the security experts that vendors need and customers want.

On-premise solutions still make up the vast majority of IT security sales through GTDC members, as the adoption of cloud and hosted solutions still develops. More than 90% of respondents said cloud-based solutions make up less than 25% of their security revenue.

Obviously, there are some world-class security solution providers who are skilled enough to manage complex IT security environments, but there aren’t enough to meet demand, said Rogers of Tarsus. “Most channel partners struggle to attract and retain the breadth and depth of skills necessary to support the most complex and largest engagements,” he said. Distributors can help elevate these partners — and the vendors they carry — in terms of short-term help such as pre-sales activities, solution designs and development of bills of material. They can also deliver long-term support by providing training and support for obtaining proper security certifications, Rogers added.

Enabling Partners is Crucial How well are solution providers equipped to help customers with IT security solutions?

62.5% 25% Poorly

12.5% Okay

On-Premise Security Still Reigns

For example, on-premise solutions account for about 90% of Tarsus’s security revenue, said Rogers, but the growth in sales of cloud-based solutions is outpacing that of on-premise solutions and could surpass the traditional model in as little as five years.

Cloud security revenue accounts for less than 25% of overall security revenue, compared to on-premise solutions, according to distributors

“The adoption of cloud services has altered GTDC Distributor Survey – Cybersecurity, August 2017 the security industry in two critical ways. First, by moving infrastructure, data and applications into the cloud, organizations have had to tackle the challenge of ensuring that their security models that used to work on-premise still operate effectively in this new architecture,” Rogers said. That’s accelerated the demand for technologies necessary to security enterprise assets wherever they may be located, he added. Second, the adoption of cloud and XaaS architectures for traditional infrastructure has caused businesses to be more comfortable with the concept of security as a service.

Very Well

GTDC Distributor Survey – Cybersecurity, August 2017

8

9

“Security as a Service is enabling organizations to rapidly prototype or adopt security capabilities; to lower costs of securing their businesses and to take advantage of scarce cybersecurity skills that they may not be able to retain themselves,” Rogers said. Cloud-based security sales are accelerating as distributors enable more partners to sell hybrid IT solutions, said SYNNEX’s Nesbit. “Virtual firewalls, access control, and site-to-site VPNs are all examples of IT security technologies that are growing exponentially due to cloud adoption,” he said.

Cultivating New Relationships So when is the right time for distributors to sign a new security vendor? It varies, said distribution executives, but in many cases, it starts when the vendor realizes it needs help to grow. At the recent Black Hat USA 2017 conference, Tech Data’s Ryals said he talked with about 10 security vendors interested in distribution, about half of which had not historically been interested.

Whither Physical Security?

A few of the conversations were initiated by venture capital firms that own significant interests in the vendors, Ryals said. In some cases, the VCs held ownership positions in other companies that have leveraged distributors and understand the value. “They want their clients to grow through distributors,” he said.

Physical security is another growing market, but the majority of distributors said it’s not a key component of their overall IT security business, according to the survey.

When companies get to a certain size, the fundamental value of distribution becomes evident and useful, said Westcon-Comstor’s Neslund.

That may change in the future, but as of right now physical security, including surveillance equipment and IP cameras among other products and services, is run separately. It’s growing, but it’s separate. For now.

“Vendors realize that they can’t effectively manage the sheer level of transactions of so many channel partner accounts. When they get somewhere between $10 million and $50 million in annual revenue, there’s an awakening to ‘Hey, I could use that service,’” she said.

50% consider physical security a key

component of overall IT security business

GTDC Distributor Survey – Cybersecurity, August 2017

“Without physical security, secure business processes and trained and aware security staff, IT security is only as strong as the weakest link. However, physical security doesn’t form part of Tarsus SecureData’s business,” said Rogers. Integration, or at least common management, between traditional security and physical security solutions will become more important, and physical security should be a key component of overall IT security business, said Ingram Micro’s Kohl.

“As demand for video and surveillance solutions grows — along with the prevalence of IoT and connected devices across the WLAN — cybersecurity must be a part of the solution,” Kohl said. NPD’s Distributor Track, which tracks aggregate sales through data from GTDC members, reports solid revenue growth in physical security and complementary products such as switches, power-over-Ethernet equipment, access points and more, said Diamond.

The biggest challenge security vendors must overcome is acknowledging the cost to use distribution and figuring out an economic model that makes sense, Neslund said. Distributors could do a better job explaining that model as new technologies and new delivery models take root in the market, she added.

“Vendors realize that they can’t effectively manage the sheer level of transactions of so many channel partner accounts.” — Carol Giles Neslund, Westcon-Comstor

“You can talk to them about the cost of complexity, the cost of hiring more credit people, more channel account managers, hiring a whole infrastructure inside your organization to deal with so many customers, so many channel partners. That’s a significant cost to vendors,” Neslund said. “Can you scale fast, or go after big partners? Distribution helps you fulfill demand, but also enables small resellers to effectively reach downstream.”

“This is important since many resellers had to hire a contractor to crack open a wall to install the wiring, etc. POE is changing some of that, making it easier for resellers to get in the game,” he said.

Increasingly, security vendors will rely on top-tier partners to serve customers — especially those that have close ties to distributors, said Kohl. “This makes them increasingly more valuable to the customers they serve and well equipped to handle IT security for their customers,” Kohl said. “In either case — well equipped or not — having a close tie to your distributor is a tremendous value.”

SYNNEX’s Nesbit said physical security is growing and should be a requisite for a comprehensive IT security practice going forward. “Physical security ties very closely to the physical and administrative controls that are requisite in capturing data in terms of who has access to an organization’s facilities,” he said. “Unfortunately, physical and administrative controls are often some of the last boxes checked in an organization’s overall security readiness, except for those in the most highly regulated industries.”

Finally, as high-profile ransomware and cyberattacks raise awareness and drive demand for more robust, relentless and real time IT security solutions, distributors are perfectly positioned in the supply chain to ensure that the right solutions get to the right partners and the right customers. The programs are in place and the services are available — it’s up to vendors and solution providers to take advantage of the opportunity, said Ingram Micro’s Kohl. He adds “If they don’t answer the call for better security for their customers, someone else is or soon will.”

10

11

141 Baypoint Drive N.E. St. Petersburg, FL 33704 Phone: 813.412.1148 Email: [email protected] Web: www.gtdc.org Twitter: twitter.com/GTDC_org

GTDC

GLOBAL TECHNOLOGY DISTRIBUTION COUNCIL