Everyone remembers the Y2K bug issue. How could we not -- it was pasted on the front pages of every IT and business magazine for months. Ensuring compliance was something many companies focused on for years. It was a serious business issue for the most part, which posed a security threat to organisations and was treated with a deserved level of importance.
On December 21 this year, a business issue on the scale of the Y2K bug will take effect, the beefed-up Privacy Amendment (Private Sector) Act 2000. And yet, the event has not attracted the attention of the 2000 rollover, despite matching it in business complexity and requirements.
The problem, according to those in the industry, is that many companies are not sure what it means and what they should be doing in order to meet mandatory requirements. With less than two months to be compliant, time is running out.
While this is bad news for end users, an opportunity has unfurled in the channel. If resellers are smart, they can convert these prospects into excellent money-spinners, an especially attractive proposal with the IT market still very much entrenched in a downturn.
The selling point for the channel is security. The Privacy Act has 10 national privacy principles (NPPs) to which companies must adhere. The fourth one, pertaining to security, is the clincher for systems integrators, service providers and consultants. It says companies must take "reasonable steps" to ensure that data is secure by incorporating a range of technologies, such as antivirus, firewalls, authentication and encryption. It also specifies that data must be securely stored and securely transferred.
On the back of these requirements, security vendors, distributors and resellers alike have seen an increase in business over the past few months, with additional demand resulting from the Nimda virus and the US terrorist attacks in September. What's more, industry pundits expect the demand for security solutions to increase over the next year, particularly in the areas of data encryption and intrusion detection.
The warning to resellers and integrators is not to limit the business opportunity to a product sell, instead they need to concentrate on selling the whole service. Resellers that help companies manage their privacy policies and procedures as well as provide for their security needs will find that the product will only account for a very small part of the overall sale.
Ross Chiswell, CEO of Integrity Data Systems, says the reseller has to go beyond the product. "The reseller has to make the decision to be more than just a catalogue of a product, it has to make an investment in technical and salespeople, and if you make the investment you should get a substantial return," he says.
Peter Sandilands, regional director of Check Point Software Technologies, agrees the channel should offer company solutions but adds that security is not an easy market for resellers to get their heads around.
"A lot of resellers are struggling with it -- there are very few resellers that focus on security as a mainstream business opportunity, it is usually ad hoc. But the security area is really an opportunity to pull a lot of additional services, which is a lot less price-competitive."
Sandilands says the service is more valuable than the product but will only come about because of the product. "They could take a $30,000 firewall sale and make it a $120,000 sale but I think there are a lot of resellers who are focused on the product sell. They need skills and knowledge in order to install, configure and compose them. [Resellers of this calibre] are few and far between and need a lot of money and have a skills set to update. But once the reseller makes that investment, they can take a very easy product sale to a large sale."
Meanwhile, not getting bogged down in the technology is easier said than done. Channel companies need to understand the implications of the privacy act as well as the highly specialised area of security. Steve Martin, manager of solutions partnering at security software vendor Novell, thinks the channel is having a hard time understanding the issue. "I think it is a little confusing for the channel and I don't think the partners are talking to their customers in an informative manner.
"There is not really an awareness of what the legislation means from a privacy perspective," he says.
On the other hand, those that get the formula right are reaping the rewards, especially when the industry is predicting that sales are only just starting to take off now and won't hit their peak until next year.
Dimension Data is taking a unique approach in its consultations by partnering with legal firms. Instead of just offering services in the security arena, Dimension Data is taking a holistic approach, which is proving to be a successful business venture.
"There is not much competition in this space where we are coming from," says Tim Smith, Dimension Data's chief technology officer. "There is the legal compliance, the review and architectural side. There is no one else offering those services together. Right from the start we saw partnering with a legal firm as an important part and having legal compliance is the fundamental starting point. It is a new way of getting our story across to clients, which we have found to be extremely successful."
To outsource or not to outsource
As security is such a specialised field, it already has a high level of outsourcing. With the added complication of the privacy legislation, it seems inevitable that demand for services will increase. The other side to the issue is that if part of the Act is to keep data private, then surely it is better to have someone in-house to manage data security.
"There is a definite skill shortage to run firewall maintenance and run reports, for example," says John Donovan, managing director of security software vendor Symantec. "It isn't a core competency -- security skills are highly specialised and constantly changing. So it makes sense to outsource security such as firewalls and intrusion response."
"Security has become an extremely complex environment," agrees Rum Rubinstein of Radware. "From firewall to intrusion-detection systems, which are complicated to manage, to virtual private networking, which can be extremely complicated to set up, to e-mail filtering. For this reason, customers want a solution rather than a product."
If outsourcing is the preferred option, then solution providers are most likely to see an increase in interest in service-level agreements (SLAs). Rubinstein says the recent terrorist made customers extremely aware of the importance of having a guaranteed service of network security and that has made SLAs necessary.
"There is no point having the service if it isn't guaranteed to work 24 hours," says Rubinstein. "[Resellers and service providers] need to guarantee that security mechanisms exist, and that traffic will flow to the existing infrastructure. From a customer point of view, SLAs will give piece of mind . . . users need the type of relationship where they can trust the network. An SLA is just part of the solution."
Not too late for resellers
Taking advantage of the opportunity presented by the Privacy Act will require hard work on the part of resellers. In addition to a thorough understanding of the Act and its impact on business procedures, resellers need to be experts in the security field. The December 21 deadline is looming, but analysts say the opportunity has by no means past for resellers to skill up and catch the wave. Many companies have yet to seriously attack the privacy and security issue, Sandilands says.
The privacy commissioner, Malcolm Crompton, has made no secret that he will be looking to make examples out of high-profile banks and private corporations. Sandilands feels it will probably take a few such cases to kick other companies into action.
That being said, he also thinks the channel is lagging in its understanding of the issue, adding it will take six months to a year before the channel fully comprehends the relationship between security, privacy and business.
Dimension Data's Smith says his company has been proactive by approaching customers and offering seminars and consultative meetings on what the Privacy Act will mean for their organisation.
"There were a few cases where organisations already had a privacy officer but most were surprised in the seminars and picked something up. There were those that knew nothing about it and some that were well on their way [to being compliant]. There were some that didn't think the legislation applied to them and were quite surprised," says Smith.
In a joint survey with Deloitte Touche Tohmatsu, Dimension Data found that two-thirds of companies surveyed had initiated projects to address the new requirements for the Privacy Act, which means there is still one-third out there that are yet to address the issue. Sounds like a job for the channel.