With threats increasing in frequency, type and sophistication, organisations across all market verticals and segments are looking for cost-effective ways to manage network security. One such method - the managed security service provider (MSSP) model - is rapidly growing in popularity. With its focus on cost-saving, increased security, scalability and relative ease of deployment, it's no wonder organisations from SMB to enterprise are adopting the service approach to security in droves. Small wonder too that vendors, distributors, analysts and resellers are all arguing that now is the time to get aboard the managed security train.
STATE OF PLAY
So what exactly is managed security service provision? Analyst firm, Gartner, defines MSSP as the outsourced monitoring and management of security devices and systems. Simple enough, right? Not once you look at the myriad of available services within managed security.
Services offered around the humble firewall include network and technical support, managed intrusion detection, incident response and authentication. Then there are services for keeping vulnerabilities in software applications patched and up-to-date, managing viruses, spam, spyware, peer-to-peer applications and the list goes on.
There's quite an opportunity for those willing to invest in the skills and expertise required to grab a slice of the recurring revenue available in this rapidly growing market.
Gartner Asia-Pacific IT management analyst, Sin-Han Phua, said the MSSP market in Australian was worth about $70 million in 2004. It's now forecast to grow at 22 per cent a year and reach $130 million by 2007.
"Managed security is more than hype now because companies are really investing in them," Phua said.
"Australia is one of the more mature markets in Asia-Pacific for all IT services and has about half of all managed security contracts signed."
Analysts at Frost & Sullivan are even more bullish, suggesting the MSSP market was worth more like $190 million in 2004 and should hit $587 million by 2011.
Whatever way you slice it, managed security services are a big opportunity for everyone from business software consultants and PC builders to national systems integrators and service providers. But what is spurring the market forward?
For Gartner's Phua, this growing end-user spend was due to two core factors - decreased cost and increased security.
With service providers able to monitor security remotely over a range of devices and organisation sizes, services could often be delivered more cost-effectively than if an organisation had kept them in-house.
Furthermore, with a core competency and focus on security, the levels of firewall management, intrusion detection, vulnerability scanning and incident response were usually higher.
DiData's security practice manager, Neil Campbell, said it was also important to remember there were other reasons businesses looked to outsource security.
"It's not all about cost - some companies may want to use op-ex instead of cap-ex and you need to remember that security staff are notoriously hard to find and keep," he said.
Indeed wider macro issues such as skills shortages, consolidation of IT assets, the increasing adoption of mobile and wireless devices and VoIP were also dominant factors, Phua said.
"Part of the reason why Australia has such a high growth rate for managed security services is the shortage of security professionals," he said.
"Technology has advanced quickly and people are not able to catch up, or just plain don't have the skill sets required."
On the channel side, managed security services were increasingly being pushed as a way to combat the commoditisation of security and other IT hardware, McAfee's Asia-Pacific marketing director, Allan Bell, said.
"Desktop PC margins are very slim so we are seeing the channel look to other areas," he said. "In the old days, selling all the desktops to an organisation was enough, but now PCs form a path for offering services like security."
Organised crime, rather than nuisance-making script kiddies, was also a factor in the growing complexity of threats facing organisations, Bell said.
"If it is possible to make money out of extorting a company with a virus or worm, then that inevitably attracts certain kinds of people," he said.
Increasing market pressure on business and government to maintain 24x7 operations made managed security services all the more attractive, Frost and Sullivan's IT security analyst, James Turner, said.
"Organisations are beginning to find the managed security option both commercially compelling and operationally essential," he said.
With many different facets pushing and pulling the need for managed security, where exactly are organisations across the spectrum willing to invest?
Gartner's Phua said end-users were coughing up for services around managed firewalls, intrusion detection and protection, technical support and incidence reporting.
DiData's Campbell added vulnerability management, managed VPN, messaging, antivirus and anti-spam.
Keeping systems up-to-date was still a major issue, which meant patch management and vulnerability assessments were big opportunities, McAfee's Bell, said.
"With the number of current and new vulnerabilities across operating systems and other applications appearing, the reality is that those things are very hard for a lot of organisations to do," he said.
On the consulting side, security training in areas such as social engineering and security policy development were also shaping up as areas of demand, Bell said.
"Organisations generally do this in-house but there are occasions when they will outsource to security specialists," he said. "They can set policies for the whole organisation, ensure best practice then monitor the tools that enforce those policies."
Going deeper, Frost & Sullivan's Turner said that of all the components of managed security services, authentication - driven by government regulation - was forecasted to have the best growth rate of the next few years (27.8 per cent CAGR).
Managed firewalls and VPNs, with the lowest rate, were still forecast to grow (15.8 per cent and 16.3 per cent respectively) but were expected to come under increasing price pressure from ISPs and the perception that these services were entry-level offerings.
The question for the channel is how best to capture the cash. One answer would seem to be sticking to what resellers know best - partnering. And this is exactly what many organisations across the channel are doing.
HELP AT HAND
To help resellers and consultants capture small and medium business opportunities, security distributors were moving to provide skills and expertise to resellers that were previously the domain of dedicated security providers.
This approach also sought to offset the high cost associated with a reseller setting up its own security practice.
For Firewall Systems CEO, Scott Frew, the key was enabling tier-two partners to exploit existing relationships without having to become security experts.
"Most of the tier-two guys who are good at CRM, accounting or PC networks are not security experts - but they are still a technology advisor for the customer," he said.
"Security is a part of that so they have to be able to provide that service. The whole idea is to plug in the managed services component so that the threat management device is being changed to meet the changing threats."
At the upper end, integrators like DiData were also partnering to provide a service while still concentrating on core competencies, Campbell said.
"We back-out some of the monitoring and response parts to partners because they are labour intensive and niche," he said. "You don't have to partner to be successful, but as an integrator I believe you have to stick at what you're good at."
So for smaller integrators without national capabilities, becoming successful in the managed security market could just be a question of moving to more of an outsourced model, Campbell said. It was also a way to avoid the threat of consolidation.
"Some companies do one or two services really well, but they haven't been able to keep the cost down," he said. "MSSP is still very expensive to do and lots of companies are buying business in the hope it becomes profitable in the future."
With any gold rush there are those that walk away rich and those that end up at the bottom of collapsed mines. But there are ways to avoid some of the traps and pitfalls of working in the managed security field.
WatchGuard sales director, Sven Radavics, said resellers had to be aware that security outsourcing by its very nature was a double-edged sword.
"Companies are worried about giving a fundamental part of their business - their data - to a third party, but at the same time need to protect that data using skills they don't have in-house," he said.
To get around this conundrum, sales teams should be trained and learn how to promote the value security services, Radavics said. Agreeing, McAfee's Bell said end-user concern was easily surmountable.
"Some organisations prefer to keep security in-house, but in practice the risk is not going to come from the outsourcer," he said. "In practice they will provide access to skill sets you don't have. In fact the right approach can even be a combination of in-house and outsourced skills."
Another plan of attack, according to DiData's Campbell, was to sell cost and risk effectives through a compliance framework.
"Regulation is increasing so outsourcing has become more viable as a way of transferring risk for an organisation," he said. "By looking to a specialist you are being seen as doing something about security."
Echoing this, Firewall's Frew said many resellers were taking the wrong sales approach when it came to security. Instead of making security a business continuity, threat management and compliance sell, resellers went for the business productivity approach.
"The first step in changing this is, of course, education," he said. "Not to the point of becoming a security expert, but enough to spot the opportunities and understand the case for managed security."
Frew claimed the practices of some resellers were the greatest challenge facing the managed security services market. He said they needed to get away from making a quick firewall sale and neglecting to support it with a maintenance contract because this was short-changing themselves and the customer.
"A lot of these boxes really need annualised contracts with the vendors to at least keep the software up-to-date, let alone do the management component," he said.
With many players moving into the space, particularly entry-level monitoring, the commoditisation of services was another challenge facing resellers, Gartner's Phua said. Agreeing that the boxes upon which security services were based were arguably commoditised a year ago, Firewall's Frew insisted managed services by no means were.
"The basic firewalls are commoditised but the box itself is only part of the threat management and security story," he said. "The skill of updating and managing - not monitoring - firewalls is not a commodity sell."
Agreeing, WatchGuards' Radavics said managed security services were in fact the answer to the commoditisation of the basic firewall market.
"There are a lot of players in managed security services and a lot are getting large revenues but there are only a small number of users," he said. "So that means there is still a few years before these services become commoditised. We're still in the early stages."
However, Australian resellers should be wary of ISPs increasing ability to provide basic security services at low-cost, Radavics said.
"In Europe, the most successful providers are ISPs rather than security specialists," he said. "Basic monitoring services are a good value-add to basic connectivity and they also had large customer bases - often in SMEs - so they got busy."
Arguing that it was unrealistic for resellers with minimal security skills to enter the managed services market, DiData's Campbell questioned the value a reseller teaming up with a distributor offering security services could bring.
"Perhaps there is an opportunity at the bottom end where a security service is treated as a product sold to a reseller," he said. "But the problem is that it is hard to treat a security service as a box."
Disputing this, Radavics said security services could be sold as a product as long as they were flexible, had scope for modifications and featured ongoing support.
Finally, Campbell suggested resellers would have to work hard to bring any SMB targeted security services down to the right price point.
"The issue is getting the service at the right price point," he said. "Manages security services tend to be in the thousands per month where SMBs want it in the hundreds per month range, so you have to take out some of the bells and whistles.
"A lot of the cost of that is changing a configuration for a customer, so one way to limit the cost is limit the number of changes to one per month or less."