BC: So how do you move from selling point solutions to a more holistic approach?

MJ: Once you start putting a dollar value to it, that's when clients start shying away. They want utopia but the costs are too high so where's the middle ground and how do you get there?

BS: It's always got to come back to risk analysis. We've always made assumptions about the risk analysis that's been done in organisations that we deal with but they're not always valid because people aren't doing it properly.

MJ: Is there a conflict between a company identifying risk and then coming up with product-based solutions?

Scott McKinnel, Check Point (SM): There's often a divide between the enabling technology and the risk profile of an organisation. When you ask what the compelling driver is, I've seen people's eyes glaze over because they really haven't thought about why they're doing it. Connecting it to a commercial arena enables a partner to do risk profiling.

BS: My single favourite question is to ask clients what information security they are trying to address. Quite often they haven't thought about it in those terms.

NV: Is it because they can't know? Our resellers talk to us in terms of solving a problem for a customer but it doesn't extend to what the customer needs to do. They buy technology that relates to productivity or reducing costs but [with security] you are asking them to do stuff so nothing happens and that's a massive mind shift. Suddenly you are shaping behaviour in a way that IT guys are not used to.

Wayne Neich, Blue Coat (WN): I heard a leading IT security expert at a conference recently telling CSOs to forget trying to cost justify upgraded security. So many customers are behind what the latest threats are versus where their environment is and that's just the nature of the business. We're seeing customers outsource firewalls from the security group to the networking group; the security group keeps policy but the networking group maintains those assets from an operational perspective. We'll see more and more of that in the future.

Jesse Frankel, AirMagnet (JF): I would agree with that. Security concerns get mixed together with availability issues so there's cooperation between different parts of an organisation responsible for operational support and policy. Justification from one point of view can sometimes be difficult, but the partners that have been most successful for us have been able to marry them together. Commonality is where things move the easiest.

BS: We separate the operational teams from the security function. For something like a firewall, there are so many critical network-related functions that the guys in our team aren't there to handle. Routing and availability is much better suited to the guys in charge of network operations.

AS: Security still sets policy but the implementation of those projects is definitely with the network group. They tend to be appliance people so it's a slightly different mode of operation.