Day 9 of Incite: The Year of Services?

Managed Security Services provide increasing value in terms of both operational capabilities and content filtering. Users realize that removing threats “in the cloud” provides better bang for the buck for mature technologies (firewalls, IPS, anti-spam, gateway AV, web filtering). The biggest challenge in 2006 will be integrating operational and reporting capabilities across internal and MSS spheres of control.

I read some random reference to “Waiting for Godot” last week, and that is a good place to start my rant about managed security services or MSS.  MSS has been around for close to 8 years and some would argue the category has never really broken out.  It will be instructive to look at some of the analogies from other parts of the services world to get a feel for if/when MSS is going to come into its own.

Let’s look at mainframe outsourcing, clearly a market that has happened basically because there was huge leverage and economies of scale in mainframe operations. The big iron was consistent (you could only buy from Big Blue), most of the software was consistent (now it’s all consistent, since CA has acquired everything), and there were sufficient safeguards and security to allow multiple companies to run applications on the same machine. So the big mainframe outsourcers could come in with legitimate bids that saved companies money, while their margins were acceptable. It was a win/win.

Now let’s look at some network operations services, namely managed router services. Hmmm. Does anyone actually remember companies like INS and NetSolve, who pioneered that market back in the late 90’s? INS was acquired by Lucent (and then spun out again) and NetSolve was acquired by Cisco. There were others, but for the life of me I can’t remember who they were. That market never really broke out, and ultimately the telecom carriers stepped in and provide that service, kind of.

Why didn’t this market happen? Basically it was the lack of consistency. If you are taking on a customer’s equipment, having to manage lots of stuff from different vendors doesn’t provide the economies of scale you need. If you can get all the customers to use only one or two flavors of access routers, then you have a fighting chance. That, in fact, is what the carriers did. But it never took off on the scale everyone expected.

So where does that leave security? That depends on what kind of security we’re talking about. Operational security (managed firewalls and IDS/IPS, etc.) has been a struggle. There has been consolidation (Symantec/Riptech, VeriSign/Guardent) and there are very few start-ups left trying to go it alone. Why? It gets back to the consistency thing. Having to manage multiple types of equipment is hard and it’s even harder to achieve sufficient economies of scale. The intense competition in this space has also hurt things, given the inevitable pricing pressure when too many vendors are chasing too few users.

Operational managed security will continue to see growth moving forward because access routers and very functional firewalls have become cheap enough that it’s now cost effective to just replace the equipment as part of a managed services deal. This allows the consistency that enables service providers to make money. Telecom carriers will increasingly become involved in this market, since fairly mature markets requiring operational scale is where the carriers play most effectively. Expect to see more consolidation, MCI (now Verizon) buying NetSec being the beginning. AT&T has been trying to wedge into this space, expect them to acquire some smaller players this year.

That brings us to the “in the cloud” services, where it doesn’t matter where the activity takes place, either on prem or in the network. Anti-spam, spyware, encryption and web filtering fit into this category. As mentioned in the content security Incite, services to provide these functions are legitimate and in many cases, better options for most customers.

Historically, it was always perceived that MSS was more applicable to smaller companies, since SMB users tend not to have large IT staffs. That characterization is pretty accurate, though the distribution channel to those users is challenging, favoring the telecom carriers (who already do business with these firms) to prevail in offering SMB MSS services.

Yet enterprise customers are embracing MSS-type offerings as well, since they have figured out their large and expensive IT staffs can be better utilized on more strategic endeavors. It’s that whole core vs. context discussion that Geoffrey Moore has been driving. Managing firewalls or anti-spam policies may not be core for your company. In most cases it’s not, so having someone else do it allows you to focus on something that can help you differentiate in the marketplace.

So, what’s the catch? It’s pretty much the same as any other outsourcing relationship. Clear accountabilities and operational responsibilities need to be divvied up between the service provider and internal staff. Some things, like compliance, can’t really be outsourced, so there needs to be clear demarcs and sufficient information sharing to ensure internal staff can report on what’s important.

This also makes evolving to a hybrid MSS/internal operations stance challenging. In the mainframe world, it was pretty straightforward. Basically, your move your applications data to the outsourcer’s processing center and you turn your iron off. Obviously it’s more complicated than that, but not too much. Figuring out how to move and provision the operations of your security infrastructure is far more challenging. But, as MSS has matured, the service providers are defining best practices to streamline the transition.

Make sure you have a Plan B if your service provider is acquired, given the consolidation both with smaller service providers and large carriers. The logic behind these acquisitions is to gain critical mass and/or industry specialization. Thus, the acquirer NEEDS to streamline operations to gain the economies of scale to make the deal pay off. This can (and usually does) impact service levels, so watch your SLAs (service level agreements) like a hawk. If issues arise, thump the service provider on the head and use the out-clause in the contract (you have an out-clause if the service provider is acquired, right?) to look at other options.

But, by all means, check out MSS. This could be the year you get out of managing boxes and start managing your security program.

That’s all for Day 9. I’m traveling until Friday, so may not be able to post until then. Next up, we’ll switch gears and discuss building software securely.