Manage Learn to apply best practices and optimize your operations.

Security VARs -- Buyer beware

A value-added reseller is not a security panacea, but according to security specialist Mike Rothman, it has its advantages.

When small and medium-sized business (SMB) folks ask me how to build an information security program, I often tell them to use a value-added reseller (VAR).

Five questions to ask your VAR

1. What do you think of my security architecture?
Ask your VAR to critically assess your ideas. This is a good way to find out if they trying to sell you more than you need or if they are constructively filling holes in your architecture.

2. What is your security methodology?
Not having one is a reason to be concerned because they'll tend to lead with what is hot (or what offers the biggest margin), as opposed to fulfilling your needs.

3. Do you support the products?
Make sure the products you buy from the VAR have top-flight support and that during any testing period, you exercise the support capabilities.

4. Which other products do you rep?
You need to understand the breadth of what the VAR can offer, as well as how many products they rep in each security category. Ask why they are recommending one product over the other, and understand the margin they are making on the purchase. If they can't explain why a product is better for your specific environment, that's a red flag.

5. How many of these things have you sold?
You never want to be the first customer of a new product for a VAR. They won't know whether it really works and they won't be able to appropriately architect and size the environment. You are a small-to-medium-sized business; there is no need for you to be the first. Let the VAR learn on someone else's dime.  

VARs can definitely make life easier, and that's a good thing. SMB technology professionals have it tough, between ubiquitous regulation and limited resources. Security is one of those things that does not add revenue, so it can fall through the cracks. That is, until you have a problem, then security becomes front and center very quickly.

So you know you need to implement a security plan, but where do you start? What do you buy? The reality is, the proper level of security is different for every organization.

Large enterprises bring many resources to the table, such as task forces, project teams and built-out labs to test everything they buy. SMBs don't have task forces or labs; they've got nothing but a lack of time to get everything done. Wouldn't it be great to push the responsibility off to someone else? Can't your information security VAR make the problem go away? To be clear, the channel has a role in the procurement and implementation of information security. But you cannot outsource your security strategy.

The VAR is not going to take responsibility for ensuring you are not compromised (nor should it.). As the technology decision maker, you must come up with a security architecture and process to protect critical assets. Sorry, but that's your job.

To truly leverage the channel in the most effective way, you need to understand its motivation, which is to make money.

More on VARs

Buying from resellers has its rewards

Smaller businesses take another look at open source

Keep in mind that every VAR is somewhat biased. But they also bring a lot of value to the table. They don't offer charitable services. They make money by selling products and services to folks like you.

Blind trust costs money. Buying security products is kind of like buying a car. The customers who walk into a dealership, fall in love with a car and drive it home that day get taken for a ride. Those who know what they want to buy, why they are buying it and roughly what they should pay get better deals. You can apply the same mentality to buying security products.

Start by doing your homework. Understand what problem you are trying to solve and some technical alternatives to address the issue. Talk to other IT professionals, check resources online, surf the Web, and/or read reports from pundits like me. Get a feel for what you your security plan should be. Then (and only then) are you in a position to talk to a VAR. An educated buyer is the best buyer.

Be flexible. The VAR may have some logical ideas that you haven't thought of. It's OK to treat the VAR as an advisor. Just don't treat the VAR as the ultimate arbiter or the only advisor that you talk to. VARs add a lot of value in examining the myriad of technical alternatives and choosing the right one, but ultimately the decision is yours. If stuff hits the fan, you can be sure it'll be your head on the block.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Read his blog at, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.