6 Tips for Selling a Web Application Firewall Solution

Move beyond high-level conversations about security to explain how security threats differ and why your clients need a WAF to protect their websites and cloud-based apps.

One of the hurdles that managed services providers (MSPs) and value-added resellers (VARs) have to overcome is getting their clients to understand the outcomes they can expect when they invest in technology — and maybe even to understand a product’s name or its acronym. Take “WAF.” It’s probably not going to be immediately obvious that WAF stands for “web application firewall,” and, when some of your prospects hear “firewall,” they may assume that since they use a network firewall, they don’t need another one.

Here are five tips for selling web application firewall solutions, and, more importantly, providing your clients with a crucial layer of security.

1Define the pain.

Find out if you’re talking to a business owner who has dealt with malware a few times this year, or whose website is constantly hacked. Maybe your prospect hasn’t experienced a major cyberattack yet but knows because of the type of data they use and store, that if they do, they’re out of business.

2Talk about what network firewalls don’t do.

Network firewalls are designed to protect your clients’ IT systems from attacks in the network and transport layers (layers 3 and 4 of the Open Systems Interconnection model). If your customer or prospect transmits data via the internet or has a web presence, however, a network firewall isn’t enough. Web application firewall solutions are specifically designed to analyze traffic coming into a web application.

3Explain the difference between WAF and intrusion protection.

Your prospects with intrusion detection systems (IPS) may wonder why they’d also need a web application firewall solution. While an IPS monitors traffic coming into a business’ network, it’s often not capable of detecting malicious HTTP traffic or protecting against a distributed denial of service (DDoS) attack that floods a website or web application with a high volume of traffic.

4Show prospects how they can afford the web application firewall solution they need.

So, you’ve convinced your customer or prospect that their security strategy is missing the vital component of a web application firewall solution. But they probably aren’t convinced yet that they can afford a WAF or the resources to manage it. WAF as a Service is the answer they need. Partnering with a vendor that has a WAF as a Service offering, will enable you to quickly implement a full-featured WAF for your clients and bill them on a monthly basis for the solution and your services.

5Be realistic about ROI.

With some of the solutions you provide, your clients can calculate return on investment (ROI) relatively easily. For example, if software saves 30 minutes of labor per day that a $20 per hour employee routinely performs, your client would save $70 per week or around $280 per month. Depending on the cost of the software license or SaaS subscription, the business could see ROI after just a few weeks.

ROI of security solutions is more difficult to determine. Security solution ROI is more like buying an insurance policy than a business solution that increases efficiency or productivity. To help explain the ROI of web application firewall solutions, security solution provider F5 commissioned Forrester Consulting to quantify the benefits, including:

  • Improved security posture
  • Eliminating time spent on issues that IT resources investigate manually
  • Preventing costs associated with security incidents
  • Avoiding revenue losses because customers can’t access applications
  • Avoiding data breaches and associated costs

6Close with the value you provide.

IT security is more than implementing a single solution. It’s a combination of WAF, IPS, virus protection, access management and other solutions. Your client needs a comprehensive, layered approach to security that specifically addresses their needs for data protection and compliance. They also need 24/7 monitoring and response. They need the services you provide.

Strongly deliver the message that your team has the expertise, the resources, and capabilities that your prospects need.