Solution Providers Are Split On Whether To Offer Multiple Security Stacks Or Just One. Here’s Why.
While each strategy has its advantages, ultimately there’s no ‘right answer’ when it comes to how many options to offer customers, a panel of solution provider executives said at XChange March 2023.
While some solution providers see compelling reasons for offering different tiers of cybersecurity—in the form of multiple security stacks that customers can select from—others say that less is more.
During a panel Tuesday at XChange March 2023, executives from four solution providers revealed some of the different approaches that are out there on the question of whether to offer customers a single stack of security products or provide multiple options.
Meanwhile, a survey of the several dozen solution providers in the audience showed that 70 percent of those in attendance offer multiple security stacks to customers, while the remaining 30 percent offer just one stack.
The best approach, of course, will differ depending on the solution provider’s own unique situation, said Dawn Sizer, CEO of Mechanicsburg, Pa.-based 3rd Element Consulting. In the case of 3rd Element, that means offering just a single security stack to customers, Sizer said.
“Either you meet our stack or you are exposed—period,” she said during the panel at XChange, hosted by CRN parent The Channel Company this week in Orlando, Fla.
On the other hand, at Ronkonkoma, N.Y.-based Overview Technology Solutions, President and CTO Marc Menzies said the solution provider offers three different security stacks to customers. For customers that are primarily in on-premises environments, the company’s “Essentials” stack is typically the best fit since “there’s not too much going on in the cloud,” he said. “We just kind of keep it light, keep it simple in there.”
With Overview’s “Cloud” stack, the solution provider adds in tools such as Office 365 backup and password managers. These are tools that customers that heavily leverage cloud-based technologies “should have to be secure,” Menzies said.
The top tier is Overview’s “Zero Trust Cloud,” which includes layering on tools such as ThreatLocker endpoint protection and Blackpoint Cyber managed detection and response, he said.
Atul Bhagat, president and CEO of Vienna, Va.-based BASE Solutions, said his company also offers three options to customers—though it has raised the security level of the baseline offering over time. Two years ago, for instance, the solution provider added Huntress to its baseline offering after making the decision to “step up our antivirus,” he said.
Menzies noted that for Overview, with the “Essentials” and “Cloud” stacks, “it’s not like we’re leaving things out—all the gaps are, for the most part, filled in each stack.” The differences between the stacks are “more about the depth of implementation of a product,” Menzies said. Bhagat said that BASE Solutions takes a similar approach.
In addition, BASE Solutions does require customers on lower-level security stacks to sign a “risk acceptance” form in an effort “to drive them to that best model,” Bhagat said. “It’s saying, ‘You’re choosing not to do what I’m really telling you to do. We’re going to support you—but [eventually] we’re probably going to let go of you. Because we really push everyone into our best model.”
Michael Goldstein, president and CEO of Fort Lauderdale, Fla.-based LAN Infotech, said his company offers a “better” and “best” stack—noting that the biggest issue in moving all customers to the top tier is that it can be challenging to do this with some older customers.
“Some of my clients been my clients for 15 years,” he said. “This was the hardest year for me because we went back and we probably dropped 25 percent of our customers that were legacy, long-term clients. We passed them off to another local MSP … but it was hard. We didn’t want the liability.”
Scott Kidd, systems engineer at Milford, Conn.-based Vancord, who attended the panel, said his company also offers multiple security stack options to customers. And like with LAN Infotech, a major driver of that approach is the fact that some customers have been with the company for a long time.
“It’s a struggle and it’s always something that’s being talked about and discussed each year,” Kidd said. Still, all customers, regardless of what stack they’re on, receive what Vancord calls a “gap analysis” when they are on-boarded—where “we go through the entire network” to look for potential security issues, he said.
The analysis is essentially a “manual intervention just to find any vulnerabilities, and just make sure everything is up-to-date and patched,” Kidd said.
The bottom line is that when it comes to the question of offering one security stack or multiple stacks, every solution provider will need to approach things in their own way, Sizer said.
“There’s no right answer here,” she said. “There is no secret sauce.”