A dishonest, cheating and incompetent security manager could ultimately be a security solution provider's best customer, according to a survey conducted by Channel Insider and CompTIA. Eight-five percent of solution providers say when a customer calls for help in correcting security issues, the engagement more than likely will lead to a new product or services sale.

The conversion rate in these engagements, solution providers say, is equally good for security product sales and managed services -- 26 percent for each. In one out of five situations, the customer will retain the solution provider for professional services to augment or fill the gap in skill sets and resources. Only 14 percent of these engagements lead to a hybrid sale of security products and managed or hosted solutions.

The survey conducted over the summer probed the murky problem of under-reporting and outright lying of security incidents by end users. Other research efforts had uncovered some startling evidence that security managers in all-sized businesses will cut corners, lie or file incomplete security reports to cover up their individual and organizational shortcomings.

One-half of the survey participants said in the last 12 months they had been called by their customers to remediate security issues related to improper reporting or resolve shortcomings in security implementations and management. The most common problems they're fixing are overlooked or unresolved vulnerabilities, rogue and unauthorized software, inaccurate compliance reporting, and poorly patched systems.

No wonder security reporting problems exist in end-user organizations, since security managers and administrators are constantly fighting a two-front battle: internal and external threats against their data and infrastructures, and budget and resource constraints.

With few exceptions, security remains the black hole of business spending; it's not a profit center, so every dollar spent is preventative but also detracting from other activities. Worse, it's difficult to show a positive return on investment; you spend a lot of money on security and, if you're diligent, you'll see nothing happen.

Despite the increased attention given to security threats and practices, many organizations persist in being reactionary toward security -- meaning that they only respond when an incident occurs or they are forced to address a compliance issue by a regulatory or oversight body.

According to the survey, solution providers that are called in to correct a reporting and compliance issue are more than likely to convert the opportunity into a new sale. Only 24 percent of solution providers say that such engagements do not result in new sales and services opportunities.