Let me kick this off with a little background as to how and why I decided to write on this subject. I believe it was late 2014 or early 2015 and I was working for F5 Networks. During one of our Quarterly Business Reviews, we had a guest presenter from Gartner come in and talk about Mode 1 and Mode 2. Couple of items that stuck with me over the years:
- Embrace change or you will fail
- 1 in 10 top tech companies will not be around 10 or 20 years from now.
- Mode 1 is legacy
- Mode 2 is the future (the cloud)
- Hybrid (Bimodel IT) will be adopted sooner than later and Mode 1 will be completely retired
This meeting was terrifying for me, I recently started this job and F5 Networks sole business model was Mode 1; traditional and sequential, emphasizing on safe and accuracy. The reassuring part to all of this was, in my particular patch (Arizona and Nevada), Mode 2 adoption was speculated to take 5 or more years to be adopted. This was ideal for me, enough time for me to hone my skills and make a move later down the road if F5 wouldn’t embrace change.
F5 made several attempts to embrace change by way of new product lines such as BIG-IP for Azure/AWS, utility based consumption licensing, BIG-IQ, BIG-IQ Central Management, and BIG-IQ Cloud. Unfortunately, these things didn’t quite take off as much as they needed to. F5 as a cloud product didn’t make any sense from the customer perspective. AWS/Azure are offering free load balancing, global availability, an easy button WAF, featureless IMHO, but easy (AWS only). While the argument for F5, specifically iRules, could justify it, many new applications were being written for the cloud. In that massive re-write of code, the dependencies for iRules evaporated. Like many legacy vendors (F5, Cisco, PAN, Citrix), they virtualized their hardware solution and placed it in the cloud with bailing wire and duct tape. It required too many moving parts and did it certainly wasn’t Mode 2; exploratory and nonlinear, emphasizing on agility and speed. Putting F5 into Azure or AWS literally broke things and required many changes that couldn’t be replicated every time you did something like auto scaling into another availability zone. If you are from F5 reading this, you might say that’s not true with pool licensing, and I agree, but the cost for pooled licenses fit major accounts much better than territory based accounts.
I tried my best to help move F5 into the cloud. I spoke with every customer and partner I met in great depth about the future and how I would get them there. The biggest challenge when breaking into this market is deployment. Let me tell you what, POC/POV a version 1 product is time consuming. Even when I did get it to work, customers were often disenchanted by the whole process. To further add insult to injury, the amount of time spent deploying F5 in the cloud vs on premise was 20x more time consuming. That would be okay however at the end of the day, I am a resource to an account manager who needs to sell product. This is where it becomes abundantly clear that F5 in the cloud is really a small line item on a much larger PO.
Product | SE Hours | Product Cost |
F5 BIG-IQ Cloud | 20 | $12k |
F5 BIG-IP 5250 BEST | 1 | $250k |
Now you tell me, you are the Account Executive with a $4.0M quota, what products are you going to sell to help you achieve your goals? The answer is simple, focus on what will help you retire your quota and have your SE focus his or her time on opportunities that will get you there. Trying to sell F5 cloud at $12k a pop will never get you there. And as well all know, quotas only go up, not down, when you are a publicly traded company. For the Account Executive at hand, if they don’t hit their quota, not only do they not get paid they stand the risk of losing their job.
So what can Mode 1 companies do when they have a sales force that has a huge quota (victim of their own success) hits a megashift? I don’t have all the answers but likely keep pushing appliances and as we saw in July 2018, F5 laid off 230 employees. While I never feared for my job at F5 (NOTE: SEs did not have to worry about quotas), I was surprised by my territory adopting the cloud. In May of 2017, I moved to a company born in the cloud, Zscaler.
A little about Zscaler before I get to my overall point about Value Added Resellers (VARs). Zscaler is a cloud based security company that does the following:
- Sandbox
- Advanced Threat Protection
- Outbound SSL/TLS Decryption
- Data Loss Prevention
- Secure access to internal applications
- Outbound NGFW
- Bandwidth Control
- Mobile Malware Protection
- URL Filtering
They have taken a historically complex outbound service chain and collapsed it into a single UI with a policy that follows the user at work, home, or abroad without introducing latency.
Zscaler Mission Statement:
Our mission is to empower organizations to realize the full potential of the cloud and mobility by securely connecting users to applications from any device, anywhere.
From the outside looking in, you would think Zscaler is a security company but Zscaler is about Network Transformation. Why does a security company help with Network Transformation? It really boils down to the following:
- MPLS reduction and/or complete replacement
- Office 365 functionality and user experience
- Enhanced Security with full SSL/TLS visibility
- Minimize cost of appliances, infrastructure, and operations
Since coming aboard in May of 2017, I have helped many customers with their journey to the Cloud with Network Transformation being the key motivator. This journey has been an interesting one, mostly from VARs. Historically speaking, a good VAR will provide a turn-key solution for the customer in the form of professional services that covers integration, customizing, training, and implementation. You may have noticed that I had a few sentences up above in bold without any context. In the same way Mode 1 appliance based vendors were successful, so were the VARs. VARs are compensated on both products and services which is very important to understand where they are at today and where they are at in the future. These same VARs have sold into accounts placing legacy Mode 1 appliances all over the place. In the same way F5 is a victim of their own success, so are the VARs. VARs that have traditionally sold appliances primarily, have a big number to carry which means a high quota for the sales team. What happens when a disruptive technology (Zscaler) enters the marketplace and VARs are forced to position a significantly lower cost solution on all fronts? Answer:
They turn into used car salesmen.
But why? It all comes down to the numbers.
For example, let’s look at a fictional company called Acme Plumbing. This company has 28,000 employees, 4 data centers, more than 2,000 remote offices, and looking to deploy O365 and per Microsoft best practices, want to deploy a direct to net for the best user experience. This is will also eliminate the need for MPLS which has significant cost savings compared to leveraging local internet.
Given that the VAR will want meet all of the customer needs, they will suggest placing an appliance or multi appliances at each data center and remote office to secure the local break out. Couple of issues with this solution:
- That’s a metric ton of appliances to have to support, upgrade, etc.
- Imagine having to support 4,000 appliances (you need redundancy right, better by 2 for each location) minimum (Opex nightmare)
- How do you size an appliance for an office that only has 50 users?
- You don’t–You purchase the smallest appliance that covers 200 users. Why pay for something you’ll never use?
- Can the appliance that covers an office that has 200 users scale and be fully functional with all of the security features enabled?
- Short answer is no and the long answer is you will end up buying a bigger appliance to meet those needs. Doesn’t make sense? Read about how a 3Gbps DDoS attack can take down your 40Gbps NGFW that has a 20Gbps circuit.
- In this scenario, I have yet to see a VAR not recommend a NGFW at all locations.
- I would encourage you to talk to any security professional and get their take on L4 vs L7 security. Full proxy is where it is at, for so many reasons.
So why would your VAR, your trusted advisor, steer you down this path? It is simple brian-nomics, let me break it down for you. All of that success your Account Executive has had with you over the years has given them a quota that will never be obtainable without selling boxes. It is their job to sell you as many appliances as possible, not because it is the right thing to do, because it is how they will hit their number. Don’t be the customer who is sending them to Presidents Club, be the customer who sends those box huggers packing.
Acme Plumbing is a poster child for a security-as-a-service solution to purchase what you actually need. A consistent security policy that follows the user everywhere. No boxes to manage, no software to upgrade, just forward the traffic to the cloud and enforce all of your security polices without compromising user experience. Let’s say you want to make a change across all locations on a legacy security stack across all 2,000 locations. In fact, lets say the change is removing an outbound rule that allows ports 80 and 443 to an application aware rule that allows HTTP and HTTPS regardless of port. How long does that take to deploy across all locations? I can tell you from a Zscaler perspective, it would take 10 seconds, if that. That’s the power of the cloud. How long would it take for your legacy solution to identify a 0-day ransomware like Bad Rabbit and provide protection for all users? The power of the cloud will catch 0-day, even if it’s over SSL/TLS and provide protection for all users.
Oh, and there is another reason why your VAR is jamming boxes down your throat. It’s the opportunity to push professional services. After all, around 25% of their quota is related to services and this would be a big project. But let’s go a few feet deeper into the swamp. Did you know some VARs can actually sell their own helpdesk, as in VAR based FTEs, who provide Tier 1 and Tier 2 support for any given vendor? Think about that for a minute. Let’s say the BOM for 4,000 appliances it $5.0M and 1 year support is generally 17% of the list price which would be $850k. A VAR would typical get a few points, let’s say 3 which would net them $25.5k. But a VAR who can do authorized support for a vendor stands to gross $850k, quite the delta if you ask me. You have to ask yourself, is my VAR doing what is best for my company or what is best for them?
I know I didn’t get into the specifics around cost of appliances vs cloud seats as every situation and every customer is different. With that said, in my experience of collapsing the security stack to the cloud, adopting network transformation, elimination of MPLS, and OPEX savings, in general I have seen a minimum saving of 2x-4x and a ROI within 45 to 90 days.
I will not comment on any specific customers and/or VARs, please don’t ask.
Regards,
BD