Compliance opportunities abound for VARs

Selling hardware, software and services that help customers comply with regulations such as the Sarbanes-Oxley Act and HIPAA can boost a storage VAR's revenue by 20% or more, with much of the increase coming in high-margin software or services instead of low-margin hardware.

But to reach the compliance market, savvy value-added resellers (VARs) aren't relying on generic "scare" pitches listing the problems customers will face if they fail to store the right data in the right way. They're instead focusing their efforts on the specific needs of customers in various vertical markets, and telling those customers exactly what they need to reach compliance.

Customers have read the headlines about the corporate scandals that led to the new regulations and recognize the need for compliance, says Ed Gogol, director of enterprise systems and business development at Solarcom LLC, a Norcross, Ga., systems integrator and storage reseller.

"Now, what they need to hear is the next phase — what products are out there and what solution sets are there to help us monitor our data, store our data and be able to quickly retrieve it when we need to."

The fact that many customers have already spent money on consultants to assess their regulatory needs makes now a good time for VARs to step in and sell, says Frank Brick, chairman and CEO of Arsenal Digital Solutions Worldwide, which sells compliance-related storage services through partners such as VARs. Equipment deployment and implementation will be the "next wave" of compliance activity, Brick claims.

Growing market

Analysts project that the overall market for compliance-related products and services is in the billions of dollars. Of that, "You can safely say that hundreds of millions of dollars are being spent in 2005 on servers, software, storage and related services," says Lance Sedlak, director of marketing for enterprise storage at distributor Arrow Electronics North American Computer Products in Englewood, Colo.

Among the most well-known regulations is Sarbanes-Oxley, which was passed in response to a wave of corporate scandals. It requires, among other things, that public companies store and be able to retrieve all the documents used to prepare their financial statements. These documents can range from corporate general ledger accounts, to Excel spreadsheets, to e-mails offering customers discounts if they pay their bills more quickly.

Another big driver of compliance concerns is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires that health care providers keep some patient records for decades, ensuring they are kept both private and available if needed.

Even beyond regulations, many companies are storing all manner of information just in case it is needed in case of a government audit or a lawsuit. One joke making the round of storage vendors is that the "ROI" of compliance-related storage spending is "Reduced Odds of Incarceration."

The specific revenue boost that resellers can expect depends on how broadly they define "compliance," how long they've been in the compliance market and how well prepared they are to talk compliance rather than just sell generic storage hardware. Arsenal sells storage services certified to comply with the SAS 70 standard for how service organizations or outsourcers handle a customer's financial data. In the last year, Arsenal's compliance-related sales have risen from less than 5% to 25% of revenue, and Brick predicts that will rise to "well over 50% in the next 12 months."

Adexis, the storage division of Cranel Inc. in Columbus, Ohio, has been training its sales and technical staff in compliance over the last two years and now gets 20% of its revenue from compliance-related activity. By contrast, Key Information Systems in Woodland Hills, Calif., which is only beginning to target the compliance market, says compliance now makes up only about 5% of revenue.

An array of services and technologies

The types of compliance-related services that VARs and resellers can provide include installation and configuration of data retention, backup and recovery software, recommendations about which hardware or software is best-suited for use with specific applications, and developing detailed policies to guide a customer's e-mail backup and archiving.

Even if a reseller does compliance assessments, it shouldn't claim its offerings guarantee customer compliance, says Kevin Schoonover, director of engineering for Arrow Enterprise Storage Solutions. Compliance is a process that requires ongoing auditing and management involvement, he says, noting, "The only person who can define whether they are compliant or not is the end customer."

Among the compliance-related technologies most in demand, resellers say, are e-mail archiving, retention and retrieval, HSM (hierarchical storage management), content management and filtering (to determine how various types of data should be stored for compliance purposes) and disk-to-disk backup (which is faster and can provide easier retrieval than backup to tape).

Virtualization — which enables multiple physical servers or storage arrays to appear as a single unit to an application — figures in many compliance-related projects because it makes it easier to shift data among different types of storage as its importance changes. Several resellers report that newer magnetic disk-to-disk backup products are replacing older optical storage media because they are much faster and priced competitively with the older optical gear.

The soft-sell approach

Many resellers recommend against focusing on compliance early in a sales presentation. Rather, they advise, start by talking about cost-saving opportunities, such as moving older e-mail onto less-expensive secondary storage or tape, or ease of use, such as how disk-based archiving can retrieve e-mails more quickly than tape archiving if needed for an audit or a lawsuit. As the customer sees the value of these steps, additional compliance-related issues — and selling opportunities — arise naturally.

"We learned early on that you can't lead with compliance," says Gogol. "Everyone tried that. It's painful to discuss, and the smart customers don't want to share their compliance shortcomings with any outsiders. We learned to assume there are always compliance issues and to present solutions that the customers can easily grasp."

At the Ergonomic Group, a systems integrator based in Garden City Park, N.Y., compliance-related projects make up about 10% to 15% of total sales, but those projects can also drive an e-mail migration or drive a storage consolidation project, says senior account executive Sean McEvoy.

The Ergonomic Group has had success pitching compliance to senior counsels or chief compliance officers rather than to the IT organization. While such senior executives can be harder to schedule time with than an IT manager, "They're the ones who know what their regulatory needs are" and may have more money or more credibility than the IT staff when it comes to getting funding for compliance-related storage, says McEvoy.

Many resellers, such as Key Information Systems, call in outside partners to perform initial audits of security, e-mail archiving or other portions of customers' IT operations that could affect their regulatory compliance. The results of those audits provide the entry for Key to talk about e-mail archiving, says director of marketing Pete Elliot.

The skills needed to sell software and services — rather than just hardware — into the compliance market don't come cheaply. Each reseller has to decide whether it wants to know enough to just be able to have an intelligent conversation with a customer around compliance needs or to become a true compliance expert, says Schoonover.

The Ergonomic Group provided a week or more of compliance training for its engineers, and one to two days for its salespeople. "We do a minimum of two hours of training every week devoted to some issue around compliance like e-mail archiving or document archiving," comments Gogol.

Help from partners

Most major storage vendors have launched campaigns to educate their resellers on compliance and how it can boost the sales of their products.

IBM is pairing regional systems integrators with ISVs so they can combine to sell data backup, retention and recovery software. Such alliances are key because the choice of storage hardware is often driven by the choice of compliance software, meaning a hardware reseller that enters the picture after the software is chosen may lose out, says Alan Stuart, chief strategist and business line executive for IBM Data Retention Solutions. IBM's storage resellers are focusing on which compliance areas to target, such as archiving of data generated by SAP's ERP software or database or e-mail archiving.

Storagetek — which offers disk- and tape-based backup and archiving — is providing training for its resellers in compliance, and is offering its own services to customers or through resale via its partners.

Among the software vendors with programs aimed at helping resellers reach the compliance market are AXS-One, which makes records-compliance management software, and Veritas, which offers more than 90 hours of training for resellers of its Enterprise Vault archiving software.

Foot in the door

The compliance market has also bred specialized suppliers such as Arsenal, which currently does 85% of its business through network services providers such as AT&T, but in the last six months has seen more interest from ISVs (independent software vendors) that sell record-keeping software as well as distributors and VARs, says Brick.

Open Access in Melville, N.Y., is using Arsenal's services to move beyond its traditional offerings of telecom and data network services. Since partnering with Arsenal 12 months ago, Open Access has seen its overall sales double, says vice president of business development Jimmy Tam. "Data and voice is a commodity product," says Tam, "but Arsenal's compliant storage services gave us a differentiator in the market space."

Other resellers echo Tam's experience. "Three years ago, we thought HIPAA would be a strong driver, but it did not drive the demand as we expected," says Gogol. "What it did was allow us to establish a communication channel with health care providers to discuss their storage and backup needs." As a result, Solarcom now has specialists who understand how the growth in digital records such as CT scans is driving demand for storage systems that can securely archive and replicate such records.

Even if the compliance issue doesn't ring up a sale, it can get a reseller in the door for a profitable conversation about a customer's business needs. But resellers need to do their homework first and focus the conversation on business benefits, not just a recycled scare pitch about the latest regulation.

Robert L. Scheier is a freelance writer who specializes in covering storage issues. He can be reached at

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon