Security VARs -- Buyer beware

Five questions to ask your VAR 1. What do you think of my security architecture? Ask your VAR to critically assess your ideas. This is a good way to find out if they trying to sell you more than you need or if they are constructively filling holes in your architecture. 2. What is your security methodology? Not having one is a reason to be concerned because they'll tend to lead with what is hot (or what offers the biggest margin), as opposed to fulfilling your needs. 3. Do you support the products? Make sure the products you buy from the VAR have top-flight support and that during any testing period, you exercise the support capabilities. 4. Which other products do you rep? You need to understand the breadth of what the VAR can offer, as well as how many products they rep in each security category. Ask why they are recommending one product over the other, and understand the margin they are making on the purchase. If they can't explain why a product is better for your specific environment, that's a red flag. 5. How many of these things have you sold? You never want to be the first customer of a new product for a VAR. They won't know whether it really works and they won't be able to appropriately architect and size the environment. You are a small-to-medium-sized business; there is no need for you to be the first. Let the VAR learn on someone else's dime.

VARs can definitely make life easier, and that's a good thing. SMB technology professionals have it tough, between ubiquitous regulation and limited resources. Security is one of those things that does not add revenue, so it can fall through the cracks. That is, until you have a problem, then security becomes front and center very quickly.

So you know you need to implement a security plan, but where do you start? What do you buy? The reality is, the proper level of security is different for every organization.

Large enterprises bring many resources to the table, such as task forces, project teams and built-out labs to test everything they buy. SMBs don't have task forces or labs; they've got nothing but a lack of time to get everything done. Wouldn't it be great to push the responsibility off to someone else? Can't your information security VAR make the problem go away? To be clear, the channel has a role in the procurement and implementation of information security. But you cannot outsource your security strategy.

The VAR is not going to take responsibility for ensuring you are not compromised (nor should it.). As the technology decision maker, you must come up with a security architecture and process to protect critical assets. Sorry, but that's your job.

To truly leverage the channel in the most effective way, you need to understand its motivation, which is to make money.

More on VARs Buying from resellers has its rewards Smaller businesses take another look at open source

Keep in mind that every VAR is somewhat biased. But they also bring a lot of value to the table. They don't offer charitable services. They make money by selling products and services to folks like you.

Blind trust costs money. Buying security products is kind of like buying a car. The customers who walk into a dealership, fall in love with a car and drive it home that day get taken for a ride. Those who know what they want to buy, why they are buying it and roughly what they should pay get better deals. You can apply the same mentality to buying security products.

Start by doing your homework. Understand what problem you are trying to solve and some technical alternatives to address the issue. Talk to other IT professionals, check resources online, surf the Web, and/or read reports from pundits like me. Get a feel for what you your security plan should be. Then (and only then) are you in a position to talk to a VAR. An educated buyer is the best buyer.

Be flexible. The VAR may have some logical ideas that you haven't thought of. It's OK to treat the VAR as an advisor. Just don't treat the VAR as the ultimate arbiter or the only advisor that you talk to. VARs add a lot of value in examining the myriad of technical alternatives and choosing the right one, but ultimately the decision is yours. If stuff hits the fan, you can be sure it'll be your head on the block.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Read his blog at http://feeds.feedburner.com/securityinciterants, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information security management for the midmarket Mobile device management: From business apps to device security Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Security for the midmarket Information security program revamp adds outsourcer oversight and more Your IT security budget: How to get more bang for the buck Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Outsourcing for the midmarket Virtualization management strategies ezine for CIOs IT and business management: Service, process and project performance Need for speed driving midmarket adoption of IT outsourcing services Cloud computing defies one definition, so here are a few of the latest Managed IT services for disaster recovery and business continuity Tech skills gap to fuel IT outsourcing growth among midsized users What do you know about data center outsourcing? Business knowledge management helps boost offshore strategy IT insourcing trends: Weighing the pros and cons The price of data center outsourcing: Security, costs and more explored RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.