It wasn't long ago that IT security solutions such as antimalware software, intrusion detection and prevention systems, firewalls and web content filters practically sold themselves. It's not so simple now. Today many companies, even small businesses, already have such baseline security tools in place. And one-time, point-solution sales aren't the way to long-term profitability for your business.

The process of selling security has evolved, says Chris Squier, technology solutions engineer at Ingram Micro. Today, clients need help implementing best practices to secure business critical systems and information, and to attain or maintain regulatory compliance with governmental and industry mandates.

That means huge opportunities for solution providers who are able to assess the current security levels of an organization and recommend enhancements or additions to create a long-term, sustainable risk-management program. There's always more to do than just knocking on the firewall to see if it's secure, says Squier. When you use vulnerability assessments as a way to help companies secure their infrastructure better, you'll become a trusted advisor, and you can count on a relationship.

Setting the Baseline

The fact is that many owners and managers at SMBs don't understand the real risks to their business technology systems. Enter the security service provider, who, with an objective perspective, is well positioned to show them. Ninety percent of the time our first engagement with a client starts with a security assessment, says Vincent Liu, partner at security provider Stach & Liu. It always starts with a baseline, to determine where the customer stands.

Whether you're assessing the vulnerabilities of an application, network, office, campus, nuclear power plant or military installation, the processes of getting to that baseline are the same. The underlying infrastructure is mapped, and potential system weaknesses are identified, quantified and prioritized for remediation. (Network vulnerability assessment can be automated using tools such as McAfee's Vulnerability Manager and eEye Digital Security's Retina.)

As part of the baseline assessment, unsafe conditions requiring remediation are certain to be found. The key is to ask the right questions of the client, says Liu, who notes several recurring areas where security efforts tend to fail. Clients often have bad processes for password protection; their systems have configuration errors; and they have a number of vulnerabilities in their installed software," he explains. "Those are common ways that companies make it easy for people to break in."

Smart solution providers will spot long-term service and consulting opportunities in addressing these and other problems. Risk and security assessments and vulnerability management lend themselves very well to building long-term client relationships, says Dave Dickison, senior vice president of North American Channels at McAfee. If clients don't have a security policy, or have one that's outdated, there's an opportunity to help them create or refine that policy.

It is crucial to understand the regulatory environment of the industries in which clients do business. Much security policy and remediation work is driven from a regulatory point of view, says Dickison. You're not only showing clients what they should do to improve their security, but what they must do from a regulatory perspective.

Funding Security Solutions
Even when money is tight, stressing regulatory compliance can help clients round up the funds to get and stay secure. Senior managers may not understand the importance of logs to forensic analysis, or know the difference between a buffer overflow and cross-site scripting attack, but they are aware of the importance of regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes- Oxley a fact that solution providers can use to their advantage.

Because upper management understands the risks of noncompliance better than security best practices, the budget always is available for compliance, says John Kindervag, senior security architect at Vigilar, a security solution provider. Security people can use compliance funds to fill security holes. When you hint to management that the company could lose its ability to accept credit-card payments if PCI DSS compliance isn't maintained, you get the managers attention quickly.

Questions to ask highlight the connection among compliance, business goals and security solutions. What, for instance, are the company's current patch levels compared to its security policies and compliance mandates? If the organization has a mobile sales force, or if executives need the ability to conduct business from anywhere, what is the company's policy for protecting those notebooks and smartphones? If it needs to provide proof of regulatory compliance and system activities, how are the logs for those systems being captured, stored and managed?

Building a Managed Security Practice

If you're a typical solution provider, you'd like to capture a chunk of the profitable managed services opportunity. More often than not, however, you don't have the time or budget to build such services from scratch. That's the beauty of outsourcing managed services from Ingram Micro Seismic. Ingram Micro is leading the industry in making managed services available to the channel, says Samuel Van Ryder of Alert Logic, one of the service providers behind Ingram Micro Seismic. Ingram Micro Seismic offers several managed security services, including Online Backup and Restore, E-mail and Web Defense, and three new services introduced earlier this year: Seismic Threat Manager, powered by Alert Logic. This service blends both intrusion protection and vulnerability management technology into a single integrated, software-as-a-service solution. Seismic Log Manager, powered by Alert Logic. Service providers can manage server and application log data so their clients can more easily comply with internal policies and government and industry regulations such as PCI DSS and HIPAA, which both mandate that log data be collected, regularly reviewed and securely archived. Seismic Remote Support, powered by LogMeln. Following a security incident, or any type of performance trouble, Remote Support makes it easy for solution providers to deliver on-demand support to remote PCs for faster, more efficient incident resolution. For more information, visit www.ingrammicro.com/seismic or e-mail salesservices@ingrammicro.com (U.S.) or services@ingrammicro.ca (Canada).

Security as a Service
Tight IT budgets can lead solution providers to another promising opportunity offering vulnerability assessment, compliance management and other security applications as managed services. These can be more cost-effective for clients than traditional, on-site software solutions.

For solution providers, the efficiency of remote management and the recurring revenue from monthly subscriptions boost profitability, compared to project-based security solutions.

Alert Logic, a provider of remote security solutions, offers such services to end customers and solution providers via Ingram Micro Seismic. In this model, a network appliance is placed on-site, but the software, services, reporting and ongoing maintenance are managed remotely. Popular offerings include log management (which automatically collects, transmits, analyzes and archives log data), threat management (a mix of intrusion-protection and vulnerability management solutions) and compliance automation (protecting the confidentiality, integrity and availability of regulated data).

Small and midsize companies appreciate receiving a turnkey service there's no software for them to deploy or manage, says Samuel Van Ryder, global partner manager at Alert Logic. Everything we do runs from our data centers and security operations center (SOC), and in doing that we become an extension of the clients' businesses.

While many solution providers may not have the ability, or desire, to build their own data center or SOC to deliver managed security, such services are available for resale through Ingram Micro Seismic. Ingram Micro Seismic makes it easy for solution providers to secure their customers' networks and comply with policies and regulations, says Van Ryder. (For details, see separate article on this page.) And ongoing services, such as continuous threat and compliance management, can provide the glue to keep that relationship intact and profitable for years to come.