Security VARs -- Buyer beware

Five questions to ask your VAR 1. What do you think of my security architecture? Ask your VAR to critically assess your ideas. This is a good way to find out if they trying to sell you more than you need or if they are constructively filling holes in your architecture. 2. What is your security methodology? Not having one is a reason to be concerned because they'll tend to lead with what is hot (or what offers the biggest margin), as opposed to fulfilling your needs. 3. Do you support the products? Make sure the products you buy from the VAR have top-flight support and that during any testing period, you exercise the support capabilities. 4. Which other products do you rep? You need to understand the breadth of what the VAR can offer, as well as how many products they rep in each security category. Ask why they are recommending one product over the other, and understand the margin they are making on the purchase. If they can't explain why a product is better for your specific environment, that's a red flag. 5. How many of these things have you sold? You never want to be the first customer of a new product for a VAR. They won't know whether it really works and they won't be able to appropriately architect and size the environment. You are a small-to-medium-sized business; there is no need for you to be the first. Let the VAR learn on someone else's dime.

VARs can definitely make life easier, and that's a good thing. SMB technology professionals have it tough, between ubiquitous regulation and limited resources. Security is one of those things that does not add revenue, so it can fall through the cracks. That is, until you have a problem, then security becomes front and center very quickly.

So you know you need to implement a security plan, but where do you start? What do you buy? The reality is, the proper level of security is different for every organization.

Large enterprises bring many resources to the table, such as task forces, project teams and built-out labs to test everything they buy. SMBs don't have task forces or labs; they've got nothing but a lack of time to get everything done. Wouldn't it be great to push the responsibility off to someone else? Can't your information security VAR make the problem go away? To be clear, the channel has a role in the procurement and implementation of information security. But you cannot outsource your security strategy.

The VAR is not going to take responsibility for ensuring you are not compromised (nor should it.). As the technology decision maker, you must come up with a security architecture and process to protect critical assets. Sorry, but that's your job.

To truly leverage the channel in the most effective way, you need to understand its motivation, which is to make money.

More on VARs Buying from resellers has its rewards Smaller businesses take another look at open source

Keep in mind that every VAR is somewhat biased. But they also bring a lot of value to the table. They don't offer charitable services. They make money by selling products and services to folks like you.

Blind trust costs money. Buying security products is kind of like buying a car. The customers who walk into a dealership, fall in love with a car and drive it home that day get taken for a ride. Those who know what they want to buy, why they are buying it and roughly what they should pay get better deals. You can apply the same mentality to buying security products.

Start by doing your homework. Understand what problem you are trying to solve and some technical alternatives to address the issue. Talk to other IT professionals, check resources online, surf the Web, and/or read reports from pundits like me. Get a feel for what you your security plan should be. Then (and only then) are you in a position to talk to a VAR. An educated buyer is the best buyer.

Be flexible. The VAR may have some logical ideas that you haven't thought of. It's OK to treat the VAR as an advisor. Just don't treat the VAR as the ultimate arbiter or the only advisor that you talk to. VARs add a lot of value in examining the myriad of technical alternatives and choosing the right one, but ultimately the decision is yours. If stuff hits the fan, you can be sure it'll be your head on the block.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Read his blog at http://feeds.feedburner.com/securityinciterants, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information security management for the midmarket San Francisco network lockup justifies CIO fears A cloud computing takeover? Google thinks so An IT spring cleaning for CIOs Single sign-on: Sensible security on scale Spyware defense for the midmarket Federal breach notification stuck in Congress Anti-spam tricks for the midmarket toolbox (expert podcast) Pre-emptive strategy best approach to breach notification CIOs under fire and in front of the camera Compliance-burdened CIOs turning to security management tools Security for the midmarket Risk assessment frameworks easy to employ Compliance: Don't let your guard down Single sign-on: Sensible security on scale Laptop theft easily preventable while on the road Information security requires organized teams How to choose a DR service provider Security on a midmarket budget Security's crystal ball for 2008 Security outlook challenging for SMBs in 2008 SMB security reporting: The devil is in the details Outsourcing for the midmarket CIO Decisions Ezine for Midmarket IT Executives Outsourcing prospects in Brazil good, but economy is a barrier Offshoring interest shifts from India to Americas Outsourcing: Coming to America or not? (Expert podcast) Data center outsourcing: Ten best practices Domestic outsourcing better option for some midmarket firms An IT spring cleaning for CIOs The Real Niel: Rules of outsourcing Blog: Justifying IT expenditures -- Outsourcing isn't always the answer H-1B fight reignites in Congress (news podcast) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.