Charting Cyber
VendorsBlogContact
Lets Talk
Lets Talk
home
purple arrow
pages
purple arrow
portfolio
purple arrow
blog
purple arrow
contact
purple arrow
Home oneHome twoHome three
About oneAbout twoabout threePricing OnePricing TwoPricing Three
team oneTeam TwoTeam ThreeBlog OneBlog TwoBlog Three
Portfolio onePortfolio twoPortfolio three
Blog oneblog twoBlog three
Contact onecontact twocontact three
How can we help?
info@example.com
CMS pages
Blog detailsPortfolio details
Follow us on
Facebook
Twitter
Instagram
Designed by Radiant Templates, powered by Webflow
Blog   .
September 22, 2024

When To Call For Help: Choosing Vendors

The Question

It never fails: once or twice a week I end up on call with a CIO or CISO and the question just pops out: "If all this assistance is free, how do you make any money? What's the catch?"It's a valid question. My day job is basically to advise Companies on frameworks and controls, how to choose and implement cybersecurity vendor technology, and generally just provide feedback on what *everyone else* is doing for security.For free.To explain this requires a bit of background, because as a cybersecurity or IT professional you likely have NEVER CARED about how revenue flows from your pocket to a vendor. But bear with me, because by the end of this article you'll be able to understand the motivations of all the different sales people based on how they get paid. And more importantly: shop better for your business.In the end, it's just one more "system" to hack.

Table of Contents

Traditional Tech Sales

Let's say you are an HR professional and you want to find a new tool for payroll. You probably execute the same research cycle you do when buying a car, a tent, or anything, really. You pop on Google, search for "best payroll site,". You are inundated by reviews for all the major players, all talking about how site XYZ is simply the best/cheapest/fastest/most popular solution to your problem. From this moment forward, every ad you see on ANY website is for a payroll service. Even Instagram (am I indicating my generation here?)! You schedule demos for the three most common platforms and start navigating their sales process:

  1. Discovery call for each (they are qualifying you as a lead)
  2. Follow up demo of the platform with an Account Engineer (AE, managing the account/pricing) and Sales/Solution Engineer (SE, technical person on the platform)
  3. Wait for quotes from each, eventually pick on based on sales presentations
  4. Sign that contract!  Three year discount?  You got it!  
  5. Onboarding starts: handed to a new Customer Success Manager (CSM)!
  6. Training and implementation complete, lets get our employees paid!

What is generally transparent to purchasers is the commission and cost structure for these steps. That can be broken down into a number of different costs:

  1. Marketing.  Search engine optimization, promoted search ads, all those ads targeting you across different sites, "articles" on how to solve your problem behind an email barrier (spoiler: that form feeds the CRM like Salesforce or Hubspot, is distributed to sales people to follow up with leads).  Pretty much anything involved in getting a logo in front of you.
  2. Sales team commissions: cold calling, email marketing, mining crunchbase/pitchbook/whatever to get your email and connecting with you on LinkedIn convincing you to do the discovery call.
  3. AE and SE commissions for closing the sale.
  4. Customer Success Manager commission for up-sell and cross-sell.
  5. More, probably.  It depends on the business.

I'm sure no one here is surprised that the cost to build and maintain a service is a fraction of the cost of running a business, but most people I talk to don't really how much money goes to the roles actually driving leads to the product. In the end, thats what numbers 1 through 3 are doing. And it can be fairly expensive! And from the customer perspective, navigating each one of these sales funnels can be pretty time-consuming.

The Indirect Sales Channel

There is another "channel" businesses can use to drive leads. It is called "indirect" and takes a bunch of different forms: resellers, affiliates, referral partnerships, revenue share partnerships, etc. Pretty much anything that doesn't involve hiring someone directly to drive leads. These structures all vary based on the individual agreements. But the important thing I want to drive is that they offer flexibility in the business model.

Applied to IT/Cybersecurity

The existence of the indirect sales channel is very prevalent in the IT and security space. Think about it: (almost) any time a consultant, VAR (Value Added Reseller, resellers providing additional value like configuration, management, whatever), or review website recommends a product, they are likely earning some kind of commission from it.This isn't always bad. For example, you may have chosen a VAR because they provide Fortinet firewalls plus configuration, installation and support. You knew the price you paid was higher than the product stand-alone. But the value was worth it, despite margin being worked into multiple steps in the process. Frankly, even just pure reselling costs money (storage, packaging, lading, shipping, etc), but that's another article.

New Business Models

The indirect sales channel allows for a bunch of different business models to work. Monthly recurring revenue is a powerful tool: thats why every service and site you deal with has moved to it. Commissions paid out over the life of a relationship add up quickly, especially at the mid-market and enterprise sales level. Think about how much your business pays monthly for their contact center, internet connectivity, managed cloud, voice services, managed security, software licenses, etc. If a partner brought that customer to the vendor, that vendor didn't have to pay for nearly as much marketing, sales team, or other direct marketing techniques. The partner gets a commission and is (hopefully) motivated to ensure the end customer is satisfied with the choice.There is even the concept of a distributor. These companies broker many, many, many partnerships. They vet vendors to ensure they can perform. Parters of these distributors have access to a vast portfolio of capability, and also have access to the legal and negotiating power from the scale of deals brought to individual vendors. If something goes wrong in implementation like a sales team misrepresenting something, or poor project management, both the partner and distributor are there to advocate for it to get fixed.Thats because at the end of the day, no one gets paid until the customer is satisfied with the solution.

Doesn't That Just Mean Sales People Again?

Sometimes. Some partner businesses are just sales people trying to find a matching vendor fit. But even then, they tend to do a lot of research and up-front information gathering to ensure the vendor can support the tech stack of the business (hard to convince a 25 site deployment of Fortinet firewalls to switch to Palo Alto just for the SOC...). The real advantage to this model is time: IT and security teams are usually overworked and understaffed, so navigating the sales process takes a long time. Even then, you can't be sure your initial vendor list actually FULLY supports the equipment you have deployed across your infrastructure. Down-selecting to a certain number of vendors, even those limited to a distributor, can save a LOT of research and time to immediately get 2-3 good fits (capable and reliable).

The Next Level

Where this gets really compelling is when you start combining distributor relationships. If you are a business looking for a 24x7 Security Operations Center (SOC) to manage your EDR and overlay some MDR, how do you start that search? Probably like the example paragraph: Google. Or maybe you are a seasoned technical veteran, and even have experience with a couple vendors! You fully integrated one SOC at your last job, but they supported different firewalls and EDR agent...What if a partner had a relationship with 45 SOC vendors?  Did you even know there were that many?  Even more important: knowing who sucks and who doesn't.   Picking a bad vendor sucks. It's embarrassing, personally and professionally. It's costly in both time and money.It's me. I'm that partner. And it's not just for SOCs.I'm not a sales person. The indirect sales model allows the company I work for to hire a technical person (me) to vet cybersecurity vendors in the portfolio, speak nerdy infosec talk with clients, and present the best fits for a business to decide on. We get a commission from vendors based on sales, but we have worked hard to develop a portfolio expansive enough to have excellent fits for our clients. There aren't always great fits, and I'm up front in those conversations. It turns out the best way to sell to technical people is to be honest, inform on the pros and cons, and let them make the decision.That's how I get to provide advice to businesses and help build cybersecurity programs for free.

The Non-Pitch

At the end of the day, there are lots of different ways a business will source security and IT vendors. I'm motivated by helping businesses navigate the cybersecurity landscape (ahem, this site...). So if you need help finding a technology (managed IT or security like MSP/MSSP, EDR, MDR, firewalls, backup, disaster recovery, many more...), or professional services (vCISO, security assessment, pentest, etc) for your business, drop your name into the NON-CRM form below. It shoots an email directly to me, no subscriber sign-ups.Otherwise, good luck and happy sourcing!

Adrian Tilston
icon
Ready To Start A Project?

Reach out and start tracking successes rather than frustration.

icon
Contact Us Today!
Contact Us Today!
icon
Charting Cyber
Copyright 2024 by Charting Cyber LLC
footer glow