Recently at a customer I was very surprised when they showed the architecture team their new and uber cool security architecture design that 20 days of consulting (10 of which were free from the "reseller") gave them.

Slight Techy Bit - Skip if you dont care..

In short it had a few flaws, the SSL datastream which penetrated their outbound firewall, also invalidated their new pride and joy IDS which couldnt see the traffic inside the SSL - traffic was hitting the web server anonymously, and the application was using a rather open form of authentication back to the database which was putting all information open on the corporate network (and DMZ). The data input quality was being checked by large client side javascript applets, and didnt seem to be bounds checked at any other level. They also needed to buy a new certificate from a different provider because their provider wasnt in the trusted root of this appliance.

Upon some digging it transpired that the solution was put this way to work around some of the deficiencies of the "appliance" that the sales person was trying to sell. The "consultants" were people who when we met them, they confidently told us port 80 was the port used by ping ! and prior to being security consultants (new world terminology for salespeople) worked at the local garage selling cars(I'll let you guess whether they were new or used). A 1800 dollar ISA box would have done the same job, but the partner would never want to use it, even though from a technical perspective it was superior. From a techie's perspective, this is just plain wrong, but from a commercial perspective its very simple to understand. Its about 1 word - that drives the entire security business - a techie may think the answer is "security" - a sales person knows its MARGIN.

Technology, does it matter ?

A Linux or free firewall (theoretically free, but look atTotal Cost Ownership) may be a better technical solution, an ISA Server withs its EAL4+ and battery of Application Filters would be a great security solution (our only firewall at Microsoft - attacked millions of times per day - never breached - I am proud of that ), and at 1800 dollars is an absolute bargain, and that is exactly the reason a "security business" person wouldnt touch either MS or Linux solution. They would recommend CheckCoat CisScreen 10000 - security appliance extraordinaire. And it wouldnt have a thing to do with its features...

A Lucrative Business

Almost all of the security business is three tier disribution, Customer - sold to by a re-seller, who buys from a distributor, who buys from the vendor (CheckCoat)

Lets assume CheckCoat gives the reseller 35 points margin (35% off the retail price). In actual fact they dont - they give the distributor (middle man to you and I) 50% off the retail price, and the distributor passes from 10-35 percentage points to the reseller. Most of the disties job is to line up willing re-selling partners to sign up to their distribution programme, and commit to buying dozens, hundreds, whatever of CheckCoat appliances from the distributor,  the more they commit to selling, the more their margin is (or discount off of full retail price they get), so if you are a re-seller who signs up to sell 10,000 a year - you may even get 40% off the retail price - leaving 50% for CheckCoat, 10 for the Distie, and 40% for the company making the recommendation to the customer. If you say you will sell ten a year- the distributor may only give you a 10% discount on the full price meaning they keep 40- CheckCoat gets 50% and the recommender gets 10%. The distie also usually handles logistics, returns of faulty goods, some do support, add pre-sales help, training etc as part of their package- in my view re-sellers provide good value for money given what they do. The Re-seller usually does the end-user sale, implementation, day to day sales activity etc, which is why their "consultants" recommend the appliance solution, the distie usually supports their re-sellers as well

Case Study

So, the more you sell, the more discount off full price you get, and the more expensive the appliance is, the more money there is to go around. Currently appliances average around 10K USD. So lets see how much SnakeOil Security gets for selling a 4 appliance deal to FleecedCorp via MiddlePerson Inc:

4 Appliances at 10,000 USD each - 40,000 USD order done by SnakeOil Sec

CheckCoat gets 20,000 USD giving the distie (MiddlePersonInc) a 50% margin as part of their agreement.

Because SnakeOil Security is a "premium" re-seller to MiddlePerson inc (they do a lot of business through them), they get 35% discount on the order. So they bought 40K worth of kit and paid only 26,000 for it leaving them a wopping 14 K USD profit from the sales alone. MiddlePerson Inc bought the kit for 20K - and sold it for 26K so they make some good money too. On top of this, SnakeOil security sold 10 days of implementation services to the customer costing 1000 dollars per day - or 10K in total. Customer paid 50K USD - for something that some people put on the Internet for free (FW software) CheckCoat charges the channel 20K for, and money was taken by distributor and re-seller (and its services business). Thats the security business.

So back to our ISA or Linux competitor to CheckCoat-

How much do I get for the Linux box ? 100% of the price great !!!!- thats amazing margin, ohh but wait its 100% of zero - ohhh that sucks, not touching that then, no matter what the features are. And what about ISA - I get a normal 2-10% margin from Microsoft so 4 servers X 1800 USD == 7200 USD order, but I only get 2-10% margin so I get up to 720 dollars- what - only 720 dollars is that it ?? Thats not enough to fill the tank of my new Hummer (paid by CheckCoat bonus last year) so forget that not touching that product either. Dont care what it does. I know, I'll tell the customer Linux is not reliable and enterprise ready, and Microsoft is insecure, and their only option is CheckCoat..... 

Final Analysis

Many of the dominant players in our industry have become so because of commercial manouvering, channel margin, partnerships etc, and not because of technology (which has really very little to do with it). There is actually nothing wrong with this, its the way business has been for hundreds, thousands of years. But it may not necessarily benefit you if you are in the market for something new in security.  A good pre-sales consultant is not an ultra technical one (most deep techies are useless in the security business), it is one that can wrap a customer need around the constraints of their specific appliance platform they want to sell, and overcome simple objections. As end-users wake up to the commercial realities this will become more difficult, and the snakeoil salesmen will be driven away (my fervent hope), by increasingly technical discussions.

There is some very cool appliance technology out there, and security technology in general is getting rich and complex, but in the short/medium term ask your visiting sales people some commercial questions as well as the technical ones to establish their true intentions, like most things in life, there is far more than appears behind most appliance recommendations :) mail me at fred at microsoft for comments suggestions etc :)