It's already had a major impact in the applications space and now software-as-a-service (SaaS) is fast becoming the area of investment for traditional security vendors. A year on from its acquisition of on-demand security provider, BlackSpider Technologies, SurfControl is lining up against the likes of Symantec, Postini and MessageLabs to secure pole position in the online content filtering landscape. SurfControl's executive vice-president and BlackSpider founder, John Cheney, was recently in town to tell local customers and partners about its online email and Web security services. He spoke with ARN about its value proposition, why on-demand is an opportunity for channel partners and how he sees the security market evolving.
Why is SurfControl investing in on-demand email and Web security?
John Cheney (JC): Organisations are increasingly recognizing that managing and maintaining their own Web and email security infrastructure is less effective than using a third party. An analogy I always use is that of a water company. You expect clean water in your tap at home, but you don't expect to build your own water filtration system in your house. But for most companies, they've been building their own Web and email filtration systems. By using a third party, not only do they get economies of scale, they also get a better service from a person who specialises in Web filtering capability and who is able to do that for thousands of customers. And that's why we're moving towards it. Gartner estimates 40 per cent of the global market will be using a managed email security service by 2009. We're now processing a billion email connections every week worldwide. About 800 million of those are complete rubbish like spam and viruses. And we're filtering that out before it reaches the network. This is interesting when you look at the recent OECD report about Internet bandwidth in Australia and that it's the second worst developed country in the world for bandwidth. Clearly bandwidth is an issue. Not having it tied up with junk email makes a lot of sense.
How much of the technology behind your new on demand service is from BlackSpider?
JC: The underlying stuff is all BlackSpider, but clearly we have a broader portfolio than just on-demand. We recognise that while 40 per cent of customers might use an on-demand service, the other 60 per cent will want a software solution or an appliance. There's a market for both and customers are choosing based on the size of their organisation; what their management philosophy is - are they an insourcing or outsourcing company; and technical requirements - if they have a lot of sites for example, it's often better to have it in the [Internet] cloud rather than have a box on each site. Other customers are more comfortable with something they own and control.
What does the typical on-demand security service customer look like?
JC: It varies, but our average customer is what I would call the mid-market with up to 800 users. What we find is there's different buying criteria: smaller organisations with 25-100 users are using the services because they don't have the skills in-house. As you move up to larger organisations, they're buying because they recognise an on-demand service is more cost-effective and easier to maintain. For them, it's like making a traditional outsourcing buying decision.
How does the channel fit in an on-demand world?
JC: It's a different model, but it presents good opportunities for channel partners. The benefit of the services model is that it's a recurring revenue stream and our renewal rates are very high - 98 per cent globally. From a reseller perspective, they are getting high margin annuity revenue for their business, which is what they want.
Another interesting dynamic for security-centric resellers is that most have typically operated at a network manager level. They haven't been dealing with the CEOs or CXOs within a customer's business. A services proposition does change that. Our partners in Europe and the US have told us selling an on-demand service really raises their profile inside the organisation. One of our partners has been using services as a good mechanism to regularly meet with their customers. Six months into an engagement, they do a services review with the buyers, and, at that stage, they can ask about other things they're planning and thinking of doing. So it's helping them move from being a tactical supplier of security solutions to being more of a strategic advisor.
Are traditional security resellers the biggest channel for these services?
JC: It falls into two camps: it's the security-centric partners because they understand the landscape; and it's also been the service providers - ISPs, people running managed services - because it fits with their business model. And we're making some good progress with those partners in this [Asia-Pacific] region.
Do you see more of SurfControl's business transitioning to online?
JC: Yes it the short answer. Some of our larger customers are using our layered solution and that's a function of the fact that they want to filter where the data is. If they don't want company confidential data leaving the network they need to be filtering inside the network. For smaller organisations, an on-demand service can address all of their requirements. We think customers will pick and choose what makes sense for them. Some will want both software and appliances and services - others will just want a services offering. Our strategy is to provide all three of them and work with customers to decide what's best for them.
Will SurfControl look at other ways to utilise that ondemand framework?
JC: One of the real benefits we're aiming to provide is visibility of worm data. You get visibility of threats in the cloud, and we can use that to improve the quality of our products. A simple example is phishing. If we see a phishing attack in the network, we can very quickly take that URL and put it into our Web filtering products so the customers using those on the network are then protected. So it provides us with a good early warning system for identifying threats and updating all of our products.
How will Websense's acquisition of SurfControl affect your on-demand strategy?
JC: We won't be through that [acquisition] process until October. We won't be able to have roadmap discussions about where the two companies will go forward until then. But it's clear from the statements they have made that they see the on-demand business as an exciting discussion. I would expect to see Websense leveraging our data and combining it with their technology to improve the threat picture for both sets of customers.
The acquisition also strengthens Websense and SurfControl in the battle against other security goliaths.
JC: And that's the real driver for the deal. Customers are telling us they want to have less vendors on-board, they want to improve the management of the products, and they want them to be easier, cheaper and more effective to use. So we're seeing mainstream security vendors entering our market. Google just bought one of our competitors [Postini] so our competitive landscape is changing dramatically. The combination of Surf- Control and Websense will provide a bigger, more established player that can compete with the Google's and Microsoft's of the world, as well as Symantec, McAfee and Trend Micro. The security market is evolving rapidly and consolidating. You need to be a bigger player to be successful.
Some industry representatives are arguing that security products will eventually be integrated into other types of technologies - whether it be storage, the network or the operating system. Do you see that happening?
JC: I think all of those systems will have security built-in. But if you look at what security really means: what we help our customers do is manage acceptable risk. There's no such thing as absolute security - if you cut all the wires we'd have security but then you'd have no communications. I think there will always be an industry around helping customers manage and mitigate their risk - whether it's in storage systems, or if it's in email trafficking.
What's happening with the security market as it matures is that we're moving away from point solution to suites of solutions, and some of the threats are changing. The security market started with antivirus and firewall, now we're into understanding what's contained inside data and managing that, and we see the market evolving into an information and content management issue. As a customer, I accept email will continue to f y backwards and forwards, but I'm concerned about what's in them. I have to accept that information is going to leave my business, but I'm concerned about what information. I think the security market we operate in is going to evolve into a content market concerned with the data flying around, in and out of the network, and what's installed and managed by organisations. That's distinct in my mind from the threat protection market of antivirus, intrusion protection and detection, which I do think will sit in the network and on the desktop.
This also brings you into a field of new competitors such as Google and Microsoft.
JC: To be honest, I'm very comfortable having those organizations as competitors right now. I doubt most organisations will feel comfortable outsourcing their email security to the world's largest advertiser for example. Google does advertising - that's their thing, and it's not security. That may change in five years, but I know when I talk to my CEO, we're worried about security. And I'm sure Bill Gates is more worried about the operating platform than he is about the security solutions inside Microsoft. Right now, the security market is still moving quickly enough that our focus is key. We need to be conscious of what those guys are doing, but today and over the next couple of years, I think most security managers will put their trust in IT security-centric providers.
The market will continue to consolidate - I have personally been bought four times during the last eight years. Security will become an application insider broader IT. Although it was a little surprising Google acquired Postini, it wasn't surprising that [Postini] got acquired. And we'll see more mainstream computer companies coming into the game - IBM bought ISS [Internet Security Systems] for example. HP doesn't seem to have made a move in that market yet, but I'm sure it will.
Ultimately, this consolidation is good for end customers, but it creates some challenges for the channel. Waking up today as a Postini reseller probably isn't a great place to be as Google isn't well known for its channel strategy. And when Microsoft bought FrontBridge in Europe we had a lot of resellers coming to us because they didn't want 5 per cent rebates.
Cisco is very active in the network space and in security, having acquired IronPort recently, and Juniper acquired Net-Screen. Security will be in the network and I think it will be in applications. Our role is to provide that secure content management structure.