Thoughts on MSS

I'm always looking for analogies from the "real" world to figure out what is going to happen in security. The Managed Security Services (MSS) business has been evolving rapidly, so I figured I'd spend some cycles to find a market that has already been through this process.

Drum roll please... I think the best analogy to how the MSS business is evolving is the banking business. I know, I know. Banking is big and it's old (being around since before Methuselah) and how dare I actually compare an emerging security practice to the Brahmin business of banking? Hear me out and then call me an idiot.

The banking structure in the US is segmented into largely three buckets and a bunch of folks that want to act like banks:

1. Global powerhouses: These are the financial supermarkets, like Citi, Goldman, and Bank of America. They are big, and they offer pretty much everything that a company would need from a banking services standpoint.
2. Super-regionals: These are the largely US-centric, somewhat focused counterparts. I'm thinking like Wells Fargo and Wachovia. These folks want to be a global powerhouse, so they acquire assets as frequently as they can and they try to offer the smorgasbord of services - but they just aren't there yet.
3. Credit unions and regional banks: There are a ton of these locally oriented institutions that offer a focused set of offerings, usually geographically constrained. In the US alone, there are over 8500 of these companies.
4. Affinity offerings: If you are anything like me, you are hammered with offers for a credit card from every company you do business with. These folks aren't really in the banking business (with the exception of Wal-Mart, which does have it's own bank), but they offer banking services. Mostly because they think customers enjoy having like 20 credit cards in their wallets.

I'm sure all the banking readers out there will tell me I'm wrong, which I probably am. But that's how a non-banking type looks at the market. Now how does the MSS business map to that?

1. Global powerhouses = Big IT MSS: If you've been paying attention, little companies like IBM, AT&T, Verizon, BT (and now HP, through their EDS deal) have substantial MSS offerings. And they are starting to turn the crank, mostly as add-ons to their other offerings. Security is a value-add and these large guys are leveraging existing customer relationships to build significant MSS market share. I know a lot of the other players say "they never lose to a carrier," but in reality, they never see these deals. Smaller companies are not invited to the table.
2. Super-regionals = MSS specialists: Folks like VeriSign, SecureWorks, Perimeter come to mind. These guys have specialized practices that tend to focus on a specific vertical. They are doing deals to expand their scope because they want to global powerhouses (except VeriSign that is trying to sell that business). They fancy themselves to be nimble.
3. Credit unions and regional banks = MSS VARs: We are starting to see a lot of VARs dip their toes in the MSS water. Maybe they buy a couple of anti-spam gateways and then they are in the anti-spam services business. Likewise in Web or managing/monitoring firewalls. There are thousands of these guys cropping up, and there will be more - especially as some of the super-regionals start diversifying channels and private labeling their services via the MSS VARs.
4. Affinity offerings = Vendor SaaS: Any vendor that offers security software is working hard to position their stuff as a "service." They want to smooth their typically lumpy revenue stream and figure customers won't realize the "service" is basically their existing boxes hosted in a co-lo somewhere else.
5. Others like Microsoft, Google and Symantec, that sort of do MSS type services, but really as a defensive position to protect their existing franchises. Although Google is trying to leverage Postini to break into the enterprise, it's an add-on service on a good day.

So what? I know that's really the question. Well, from a customer standpoint - these dynamics are important. As with banking, working with a Global Powerhouse usually yields a brand cache (which means you don't have to answer why you're buying from them), but not necessarily the most innovative or nimble provider. If you want to have coffee with the guy running your security, you are likely to pick an MSS VAR, that will give you access to whatever you need. But you take the risk of size, viability, and the ability for your provider to scale.

Those looking for specialized knowledge, mostly like vertical, will pick the MSS specialists. Though in the not-too-distant future, you'll see the mid-tier super regionals getting squeezed. They are too big to really pay attention to their customers. But they are too small to compete on a global basis or apply significant pricing bundles that will make a difference to the customer. VeriSign looking to get out of the MSS business is an indication of this trend, and you know the larger independents would take a deal in a hot second if they could give investors back their capital with a reasonable return.

I also believe the vendor SaaS will turn out to be a passing fancy. Sure, it would be great to get an anti-spam service from someone who really knows how to make the equipment work (basically the vendor that build it), but over time they will not be able to get to the scale to make the economics work. Now it's about marketing. Over time, it's about scale.

But the good news about MSS is that you are making a 1-2 year decision. Switching costs are pretty low, so user organizations can constantly shop around and find the best match for what they are looking for.