Network Security Pays Off
After investing in specialized network security employees and assessment tools, integrator Creative Business Concepts Inc. is expecting nearly $8 million in sales revenue this year from security-related projects.
Imagine how Superman must have felt when he first encountered a piece of kryptonite. Suddenly all of his strength and super powers were sapped, leaving him vulnerable to an attack. As he lay writhing in pain, he probably wished someone would have informed him of this one weakness in advance.
Now imagine being able to hand your customers a list of network versions of kryptonite. As though you're using X-ray vision, you're able to uncover the security holes and offer ways to plug them. Now you're the hero. Networking integrator Creative Business Concepts Inc. (CBC) (Irvine, CA) plans to be that kind of hero and increase its sales revenue 60% this year by selling security assessments and the resulting remediation products and services.
Go Beyond Firewalls And Virus Software
To design and ultimately sell a network security assessment, CBC President J. Richard Shafer realized he needed a staff with security knowledge beyond the firewalls and virus software CBC had been selling for years. "I hired the sales manager and three engineers from a Fortune 500 security firm," Shafer explained. "These individuals are CSS 1 [Cisco Security Specialist] certified and have years of security experience." He didn't stop there, though. He began sending staff, sometimes for a week at a time, for additional security-related training courses. For instance, some employees are training to become a CISSP (certified information systems security professional), an industry certification from the International Information Systems Security Certifications Consortium, Inc. Additionally, two staff members are now RSA Security (Bedford, MA) certified security specialists. "In 2002, we spent $50,000 on training for six of our engineers," Shafer said. "We plan to continue that level of training this year for our remaining six engineers."
Much of the training CBC staff members receive pertains to the $100,000 worth of software tools the company uses to create its security assessments. Not surprisingly, Shafer is mum on the exact names of the tools CBC uses for these assessments.
Three Security Assessments Per Month
CBC's security assessments review topics such as a company's wireless network and its number of servers, domains, and locations. According to Steven Reese, CBC's VP of professional services, the assessment also includes a portion on social engineering. "Social engineering is determining how much access an anonymous person could gain to a company's network information," he explained. "It's a way of seeing what their current security looks like. You would be surprised how many companies will allow access to their computer rooms if you just look like you belong."
Shafer said the typical security assessment costs clients between $25,000 and $50,000 and takes nearly four weeks to compile. "The majority of our customers are overwhelmed with the amount of data we've collected in their assessments," he said. "So, even if they purchased the assessment tools we use, they would not have the expertise to analyze the immense amount of data we review." CBC completed six security assessments the first year (2002) it offered this service. Three of those assessments were for new customers. Shafer estimates the company will complete three assessments a month in 2003. He said that rapid growth will come from referrals from new security customers as well as the company's existing client base (CBC provides networking services to most of its clients).
Provide Policy And Procedures Expertise
CBC expects approximately $5 million to $7 million in sales revenue this year from the remediation portion of network security assessments. (Remediation is the process of fixing or repairing the network security holes an assessment has identified.) According to Reese, the most common products customers require (and ultimately purchase) at this stage include:
- Event correlation software - designed to gather all of the data logs from the different devices (e.g. router, switch, server) on a network and alert the systems administrator about potential intrusions. In essence, this software creates a protocol that says, "this action is happening at X device, the network is probably being hacked. Send an alert to person Y."
- A change management solution - includes a device and operating system that prevent change to a system without a secondary authentication.
- Intrusion detection software - monitors a specific network device and identifies potential network threats.
In addition to hardware and software, the remediation process often includes services such as helping customers develop and revise security policies and procedures (P&Ps). This service is important since Shafer said the most common problem he sees with network security is neglect of written policies. "For example, we frequently find servers and workstations logged on and left unattended," he explained. Shafer said IT staffs tend to keep detailed security-related procedures in their heads instead of writing them down in manuals. If those staff members decide to take jobs elsewhere, that P&P info goes out the door with the employees. "CEOs, CFOs, CIOs, and CTOs like knowing we help build P&Ps and train their people to follow the guidelines outlined in those documents," Reese said. "After all, without P&Ps, they may get a lot of technology, but they're not sure about the value of how it all works or what the protocols are for future problems."
Partner With Vendors For Marketing
To spread the word about its new security assessments, CBC began hosting events such as a golf outing; a boat trip; and bi-monthly, half-day educational seminars. The latter, held at a university 6 miles from CBC's headquarters, are free to attendees. These seminars include speakers from network security vendors and specialists on topics such as HIPAA (Health Insurance Portability and Accountability Act) compliance. CBC created a mailing list of approximately 1,000 CIO, CTO, CEO, and CFO names for these events. Shafer said each seminar costs between $5,000 and $8,000 and vendor sponsors help defray the costs. However, the investment is paying off. At the first two seminars held last year there were an average of 50 attendees. CBC landed three assessments as a result of those seminars.
The boat trip was even more successful than the seminars. Similar to a dinner cruise, this event gave CBC and its vendor partners a captive audience for a few hours. One week after the boat docked, CBC closed on three security assessments. "We are driving heavy marketing initiatives right now because network security is today's hot issue," Shafer said.
To some companies, a security assessment may just reaffirm their networks are secure and the right P&Ps are in place. To other companies, a security assessment can be an eye-opener. In either case, the integrator or VAR walks away looking like the hero.