MSS

After my "Special Incite" on MSS last week, I got some good feedback. Most of it said my analogy to the banking industry was spot on. Of course, there are always those vendors that send me notes wingeing about how I've got them mis-categorized and how I don't understand their business.

Whatever. But one of the comments bears digging a bit deeper into. And that was the idea of a managed security service provider, who is part of a product vendor, claiming to be "vendor neutral." You've heard it before. In fact, all the big IT providers, who have big IT service engines, claim to be vendor neutral.

I posit that these folks provide MULTI-VENDOR SUPPORT. That means they can manage and support products from their competition. But they are not neutral. Not by any stretch of the imagination.

They aren't. In fact, they can't be. And just so I'm not being my general cynical self, I'll actually put in place a few hurdles for these vendors to prove they are truly VENDOR NEUTRAL.

1. Separate sales force - This is really the first hurdle and it's usually the hardest one to overcome for a lot of the vendors. Basically, services is a value-add they sell to their existing product customers. But to really be vendor neutral, then they have to have a separate sales force, who only sell services.
2. No services comp for product reps - Let's say a vendor actually does have a separate sales force for services. Great. Do their product reps get compensated when a services engagement is sold to that customer? If yes, then again, they are not truly vendor neutral because there are kick-backs happening. Sure, they are finder fees, but at the end of the day, you can't be neutral if you are kicking back commission to the guy selling hardware (or software).
3. No product comp for the services reps - Yes the converse has to be true as well. The services reps cannot get compensated if a new set of products gets sold based upon an engagement.

To be clear, these are 3 very high bars and they should be. Because NEUTRALITY is not something to be trifled with.

Personally, I don't think any vendor that does MSS (or any other services for that matter) should be claiming to be neutral. It's important to get some level of leverage from efforts both on the product and services side. If you can't do that, they why even bother? So providing multi-vendor support is not a bad thing, but it's not being vendor neutral either.

End user organizations need to figure out what is important to them. I'm cool with doing business with a product vendor's services arm. As long as they go in with their eyes open. The vendor wants to sell product, and they should. You (the user) may even want to buy that product. And you shouldn't feel bad about that. But don't believe them when the first bullet on the vendor's services PPT is "vendor-neutral."

Photo credit: shadowtech

I'm always looking for analogies from the "real" world to figure out what is going to happen in security. The Managed Security Services (MSS) business has been evolving rapidly, so I figured I'd spend some cycles to find a market that has already been through this process.

Drum roll please... I think the best analogy to how the MSS business is evolving is the banking business. I know, I know. Banking is big and it's old (being around since before Methuselah) and how dare I actually compare an emerging security practice to the Brahmin business of banking? Hear me out and then call me an idiot.

The banking structure in the US is segmented into largely three buckets and a bunch of folks that want to act like banks:

1. Global powerhouses: These are the financial supermarkets, like Citi, Goldman, and Bank of America. They are big, and they offer pretty much everything that a company would need from a banking services standpoint.
2. Super-regionals: These are the largely US-centric, somewhat focused counterparts. I'm thinking like Wells Fargo and Wachovia. These folks want to be a global powerhouse, so they acquire assets as frequently as they can and they try to offer the smorgasbord of services - but they just aren't there yet.
3. Credit unions and regional banks: There are a ton of these locally oriented institutions that offer a focused set of offerings, usually geographically constrained. In the US alone, there are over 8500 of these companies.
4. Affinity offerings: If you are anything like me, you are hammered with offers for a credit card from every company you do business with. These folks aren't really in the banking business (with the exception of Wal-Mart, which does have it's own bank), but they offer banking services. Mostly because they think customers enjoy having like 20 credit cards in their wallets.

I'm sure all the banking readers out there will tell me I'm wrong, which I probably am. But that's how a non-banking type looks at the market. Now how does the MSS business map to that?

1. Global powerhouses = Big IT MSS: If you've been paying attention, little companies like IBM, AT&T, Verizon, BT (and now HP, through their EDS deal) have substantial MSS offerings. And they are starting to turn the crank, mostly as add-ons to their other offerings. Security is a value-add and these large guys are leveraging existing customer relationships to build significant MSS market share. I know a lot of the other players say "they never lose to a carrier," but in reality, they never see these deals. Smaller companies are not invited to the table.
2. Super-regionals = MSS specialists: Folks like VeriSign, SecureWorks, Perimeter come to mind. These guys have specialized practices that tend to focus on a specific vertical. They are doing deals to expand their scope because they want to global powerhouses (except VeriSign that is trying to sell that business). They fancy themselves to be nimble.
3. Credit unions and regional banks = MSS VARs: We are starting to see a lot of VARs dip their toes in the MSS water. Maybe they buy a couple of anti-spam gateways and then they are in the anti-spam services business. Likewise in Web or managing/monitoring firewalls. There are thousands of these guys cropping up, and there will be more - especially as some of the super-regionals start diversifying channels and private labeling their services via the MSS VARs.
4. Affinity offerings = Vendor SaaS: Any vendor that offers security software is working hard to position their stuff as a "service." They want to smooth their typically lumpy revenue stream and figure customers won't realize the "service" is basically their existing boxes hosted in a co-lo somewhere else.
5. Others like Microsoft, Google and Symantec, that sort of do MSS type services, but really as a defensive position to protect their existing franchises. Although Google is trying to leverage Postini to break into the enterprise, it's an add-on service on a good day.

So what? I know that's really the question. Well, from a customer standpoint - these dynamics are important. As with banking, working with a Global Powerhouse usually yields a brand cache (which means you don't have to answer why you're buying from them), but not necessarily the most innovative or nimble provider. If you want to have coffee with the guy running your security, you are likely to pick an MSS VAR, that will give you access to whatever you need. But you take the risk of size, viability, and the ability for your provider to scale.

Those looking for specialized knowledge, mostly like vertical, will pick the MSS specialists. Though in the not-too-distant future, you'll see the mid-tier super regionals getting squeezed. They are too big to really pay attention to their customers. But they are too small to compete on a global basis or apply significant pricing bundles that will make a difference to the customer. VeriSign looking to get out of the MSS business is an indication of this trend, and you know the larger independents would take a deal in a hot second if they could give investors back their capital with a reasonable return.

I also believe the vendor SaaS will turn out to be a passing fancy. Sure, it would be great to get an anti-spam service from someone who really knows how to make the equipment work (basically the vendor that build it), but over time they will not be able to get to the scale to make the economics work. Now it's about marketing. Over time, it's about scale.

But the good news about MSS is that you are making a 1-2 year decision. Switching costs are pretty low, so user organizations can constantly shop around and find the best match for what they are looking for.

 

OK, here are the final four Report Cards of 2006. Tomorrow I'll have a bonus for you all in the form of grading a less publicized set of predications I made for 2006 as well. If you relish seeing me squirm under the weight of my abysmal ability to predict things, you'll love tomorrow's post.

Incite #9: Services

Managed Security Services provide increasing value in terms of both operational capabilities and content filtering. Users realize that removing threats in the cloud provides better bang for the buck for mature technologies (firewalls, IPS, anti-spam, gateway AV, web filtering). The biggest challenge in 2006 will be integrating operational and reporting capabilities across internal and MSS spheres of control.

Grade: B

Original Days of Incite post: here
Incite Redux post: here

Managed Security Services (MSS) continues to be the enigma of the security business. The stand-alone folks (Perimeter Internetworking, SecureWorks, and a zillion garage band providers) continue to show good linear growth and are growing both organically and via acquisition. But are either big enough or growing fast enough to go public, or get taken out at a high multiple? What about CyberTrust, which is the largest stand-alone services shop by an order of magnitude but remains pretty quiet?

Can MSS stand-alone for any length of time? Does it matter?

The other part of the enigma is that it’s just not clear how big or how profitable many of these players are, given that most services operations are a small part of a big company. Symantec, VeriSign, AT&T, now BT (after the acquisition of Counterpane) and IBM (after buying ISS) all have MSS operations, but is this strategic for them or just something that they kind of should do, probably? See, quite an enigma.

When faced with an enigma, I usually default back to the customer requirement, which remains strong for MSS. Managing security hasn’t gotten easier and perimeter defenses tend to be pretty stable at this point, so having someone else do it makes a lot of sense. If I could get rid of bad content (email and web filtering) in the network, isn’t that a good thing? You bet and that’s not changing moving forward.

What about these “clean pipes” services from the bit haulers? That didn’t happen in any sense in 2006. Big Telecom continues to try to figure out what security means and given they are a little pre-occupied with things like Triple Play, adding value to the pipe has fallen to the bottom of the list. Will clean pipes happen? Yes at some point, but probably not in 2007 either.

The last part of the Incite was a bit ahead of itself, since the large enterprise has largely not embraced MSS and mid-sized companies tend to be cool with the MSS’ folks doing most of what needs to be done. So the need for integration of MSS and internal security operations are largely non-existent.

But given the customer need and the inevitable entrance of bigger players – MSS will continue to be a legitimate operational option for customers to farm out some of the drudgery associated with ongoing security functions.

At the risk of offending pretty much everyone, let me tell you a little bit about MiSS Consolidation. She (or could be a he, but the MiSS moniker makes it work) is kind of like some of those ladies from high school that you haven't seen for a long time. Back in the late 90's, she was a babe. The VCs fawned over her and she got invited to all the cool parties and money rained from everywhere. Then she went through her awkward stage. Probably had something to do with a hangover from spending all that money. Some of them moved away, some just disappeared.

But then you decided to go to your high school reunion and you saw her again. She's had a few kids and probably adopted a few. She's large and in charge. She's brutally efficient and given the rate of her eating, there is no telling how big she's going to get. "Built for speed" is how we used to refer to those ladies way back when.

Sufficiently nauseated and offended? Good. I'm in that kind of mood today. But let's get back to the topic at hand. Between the recent IBM/ISS deal and today's SecureWorks/LURHQ deal (info on the deal here), there is no question that MSS providers need to get big or get out. And they need to do it NOW.

The vendor dynamics are pretty straight forward. Stand alone MSS providers are going to get squeezed. The big guys will drive down the costs because they can and there's little outward differentiation. And VARs will increasingly decide to get into the MSS game and cut the lower part of the market out of the mix. So the stand alone guys better get the heft to compete on price and efficiency.

For these reasons, I actually like the SecureWorks/LURHQ deal. First of all, they get to dump probably the worst company name out there (what the hell is a LURHQ?), as the combined entity will be called SecureWorks. But there is also little overlap. SecureWorks plays in the SMB space, mostly financials. LURHQ specializes in larger entities with little verticalization. They've got little overlap on the technical side as well. Each focused on a different aspect of running security networks. SecureWorks on FW and network IPS. LURHQ on SIM and management.

Of course, there is a lot of execution to happen. And we cannot minimize those complexities. They will need to wring some costs out as well. But there is leverage in joining the two models, streamlining operations and moving to a consistent go 2 market model.

And MiSS Consolidation will be back. She's hungry and her appetite cannot be satiated.

SecureWorks is well positioned to be gobbled by someone bigger. They've got enough heft (run rate of about $50 million) and enough customers to make a difference. They will be an attractive target for someone either looking to gain a bigger presence (like VeriSign or Symantec) or get into the MSS business (McAfee or HP). Or maybe even a carrier like AT&T, given SecureWorks already has a relationship with BellSouth and Verizon has the NetSec guys from MCI.

But this won't be the last MSS deal we see. Not by a long shot.

 

The consolidation frenzy in tech-land continues unabated. Since only one of these deals is security related, I thought I'd do a wrap-up post quickly summarizing each deal and underscoring some of the trends that drive these hook-ups, since none of these would make the TDI cut themselves.

In TDI format, here goes:

Deal: Verano finds the eDMZ
So what? - Verano is a company you've probably never heard of, unless you are in the utilities business. They provide security services for this vertical in the form of understanding SCADA systems. I'm not exactly sure what that means, but evidently they do OK at it. Buy buying the struggling eDMZ's managed services offerings (eDMZ who? - which is exactly right), Verano can now address one of the big blind spots in the land of utilities - protecting the SCADA system. Like smaller financials, many of the utilities don't have the resources to really protect their systems, and if something goes down - it's very inconvenient for the residents. This is a logical move for Verano and we will see more of this niche industry consolidation of players that couldn't make it on their own.
http://www.verano.com/news/pr091206.php

Deal: AT&T pledges allegiance to the USi
So what? - I can honestly say that USi was my worst investment ever. I'm not sure i'll ever make back my capital losses on that one. But it's interesting that AT&T would take them out at this point. Clearly AT&T has to figure out how to climb the stack and outsourcing applications is one way to do it. They still own Sterling Commerce and now with USi are going to be able to have different conversations with customers with this stuff in the bag. From a security viewpoint, it's about application securty and what are they doing to ensure my data (it doesn't get more sensitive than HR and ERP data) is protected? Will AT&T be able to scale the model cost effectively? But given the negative margins in many of their other businesses, this seems to be a logical direction. How long before Verizon copies this strategy too?
http://www.sbc.com/gen/press-room?pid=5097&cdvn=news&newsarticleid=22676

Deal: Apptix says check-Mi8
So what? - Apptix recently acquired my managed Exchange provider, and now they are taking out another player - Mi8. None of these services are big money players (all have been doing about $4-5 million /quarter), but if you put them all together and apply some economies of scale this could be a cash register. And you get a presence in many of these SOHO small business that will increasingly be looking to outsource more of their infrastructure. Again, security is adjacent to this deal, only in trying to figure out how your data is going to be protected - given the sensitivity of stuff that is stored in email. But there is no doubt that managed offerings are gaining traction in the 1-100 employee segment, and Apptix is willing to spend the money to be a player.
http://www.apptix.com/media/pressreleases/091106/

Stay tuned, I suspect the investment bankers will remain busy for quite a while disposing of the too-many VC funded companies that remain in tech-land. If those folks weren't so parasitic, maybe that's something I'd suggest to the kids.

 

In this week's NetworkWorld column, I go through some of the thinking behind IBM's acquisition of ISS. Of course for loyal readers none of this will be new. But if you are interested in how many Gulfstream V's or Bentley Continental GT's you could buy with $1.3 Billion dollars - read on.

http://www.networkworld.com/columnists/2006/091106rothman.html

 

SearchSecurity has produced the second part of their Identity and Access Management school and I did a 45-minute webcast about the evolution of security and how it is increasingly being integrated into the network. Stiennon's SNF anyone? I talk about LAN security (which is a superset of NAC) and a number of security services where you get protected "in the cloud."

Here is the SearchSecurity description:

WEBCAST: A Glimpse Into the Future of Security-Enabled Networks

Through both vendor consolidation and evolution, security
capabilities are increasingly being woven into the network fabric,
but is this a good thing or does it undermine everything that you've
done over the past ten years? Attend this webcast and learn about:

** Three different future state of security scenarios including
network security remaining a best of breed function
** A network security architecture that provides better protection
for your company and secures your information
** How integrating security into you network can reduce costs and
save time

You can access the webcast here: http://searchsecurity.bitpipe.com/detail/RES/1155228297_93.html

A recent post on the Ferris Research blog (http://blog.ferris.com/2006/04/vendor_guarante.html) got me thinking about the role of SLAs in managed services. To cut to the chase, most SLAs are not worth the paper they are written on. Ferris is exactly right on this one.

Why? They are only refunding the cost of the service, which does not compensate you for whatever damage the outage actually cost you. So if your managed IDS service doesn't catch something or the box goes down and stops traffic - you are out of luck. They'll begrudgingly give you your couple hundred (or thousand) dollars back for that month, but it's a pyrrhic victory at best. It definitely won't help you pull the fingers of your customers out of your eye.

Little ol' me also had a problem with this recently when my email security provider (MXLogic, which is the only option through my hosted Exchange provider) decided to upgrade something in the middle of the US work day. My mail was down for over an hour until I manually redirected my MX. I wasn't happy and my mail provider was even more pissed off because they had hundreds of customers calling in and yelling. My compensation? Nothing but angst and the ability to poke them on my blog.

The MSS folks have learned and that's why there are all sorts of caveats and limitations on their SLAs. I used to work for one of the original security services shops and we had quite an issue because our service provided a real guarantee against hacking. Basically, we would pay for damages if a "certified" company got hacked. It never happened, but it was a liability nightmare. No insurance company would underwrite the business, so we had an unfunded liability. Let's just say that wasn't good for the balance sheet, but it was very hard to communicate to customers that we wouldn't support the guarantee anymore. At least the next set of providers learned from our misery.

So if you are a customer, what do you do? Basically, you still push for a stringent SLA. Mostly because it indicates to the provider that you mean business and that you expect them to take your business seriously as well. But don't be fooled into thinking that you'd be able to collect anything and that it would matter even if you did.

Being out at the annual RSA show is always interesting. You try to get a feel for what is "hot" and what is actually selling. Over time, it has been amazing to track the hype and watch carefully for the signs of adoption.

Hype began in earnest a couple of weeks ago for "on-demand" security, driven by the formal announcement of Microsoft's Windows One Care and Symantec's Genesis. You can read the analysis of Genesis here. At the show, expect big thought leadership messages from the RSA keynotes, specifically VeriSign's Stratton Sclavos and ISS' Tom Noonan.

Noonan hit the circuit last week to start building up momentum for ISS' on-demand strategy. Check out eWeek to get the news. The article starts off with:

"Tom Noonan is fed up with the security industry. He's tired of seeing every new point solution touted as the savior of the Internet, and he's had it with the hodgepodge of security technologies from various vendors not working together and causing administrators more headaches than the threats they're trying to protect against."

Amen brother. That's awesome. I'm fed up too, and we are largely on the same page about too many narrowly focused products trying to solve every minor security issue. That's what "no mas box" is about and it's right. Something has to change. Best of breed is fine, as long as it fits into the existing infrastructure.

Is ISS the right company to be driving this change? They have a good a claim as any, I guess. But success will require more than fancy slides at RSA. To be clear, I have not spoken to ISS about their strategy (even though they are right down the street) and am planning to do so right after RSA. But let me give a couple of early impressions:

1. ISS needs to do something - Clearly the company has seen a bit of a renaissance driven by the move to Proventia appliances. But, in order to convince folks they are a security player with longevity (as opposed to waiting for Cisco or CA to buy them out), a big story demonstrating this is critical. Of course, executing on this over time is pretty important too.
   
   
2. On-demand security is nothing new - You get anti-virus updates on your machine every couple of days. Your anti-spam gateway may update signatures every 10 minutes. It seems every Tuesday you are getting patches for Windows. What is different about "on-demand?" Basically nothing. The idea of linking your asset base to a vulnerability scanner to get relevant updates is not novel (we tried to do that at TruSecure and Tenable and Sourcefire do it today). Packaging and pricing as a service is kind of novel. Moving to the razor blade model probably makes sense over time.

I'll also pull another quote from the article, this time from the reporter.

"But the security community has been slow to adopt the software-as-a-service model, in large part due to the concerns that many enterprises have about putting the security of their networks in the hands of outsiders."

This is actually wrong. Have companies TOTALLY outsourced their security? No, but how can you do that unless you've totally outsourced your infrastructure. But the adoption of targeted services is happening right now. Lots of folks have their ISP or outsourcer manage their firewalls and IDS devices. That is increasingly becoming the purview of the carriers and that trend will continue. And services for vulnerability scanning and email security tend to have as great (if not greater) market share than their on-prem counterparts. Check out the MSS Incite for more detail.

So, there will be lots of stuff announced this week at RSA, much of it aimed at driving hype to usher in the "on-demand" age of security. Much of this will be re-branding of the existing stuff, so we will see some innovative marketing to make the old stuff seem new. But, the short-term impact is minimal.

Yet, the idea of leveraging the "network" where it makes sense to increase security and speed reaction is right and this will happen. The question is just when. You know I'll be watching closely for when it becomes real.

Managed Security Services provide increasing value in terms of both operational capabilities and content filtering. Users realize that removing threats “in the cloud” provides better bang for the buck for mature technologies (firewalls, IPS, anti-spam, gateway AV, web filtering). The biggest challenge in 2006 will be integrating operational and reporting capabilities across internal and MSS spheres of control.

I read some random reference to “Waiting for Godot” last week, and that is a good place to start my rant about managed security services or MSS.  MSS has been around for close to 8 years and some would argue the category has never really broken out.  It will be instructive to look at some of the analogies from other parts of the services world to get a feel for if/when MSS is going to come into its own.

Let’s look at mainframe outsourcing, clearly a market that has happened basically because there was huge leverage and economies of scale in mainframe operations. The big iron was consistent (you could only buy from Big Blue), most of the software was consistent (now it’s all consistent, since CA has acquired everything), and there were sufficient safeguards and security to allow multiple companies to run applications on the same machine. So the big mainframe outsourcers could come in with legitimate bids that saved companies money, while their margins were acceptable. It was a win/win.

Now let’s look at some network operations services, namely managed router services. Hmmm. Does anyone actually remember companies like INS and NetSolve, who pioneered that market back in the late 90’s? INS was acquired by Lucent (and then spun out again) and NetSolve was acquired by Cisco. There were others, but for the life of me I can’t remember who they were. That market never really broke out, and ultimately the telecom carriers stepped in and provide that service, kind of.

Why didn’t this market happen? Basically it was the lack of consistency. If you are taking on a customer’s equipment, having to manage lots of stuff from different vendors doesn’t provide the economies of scale you need. If you can get all the customers to use only one or two flavors of access routers, then you have a fighting chance. That, in fact, is what the carriers did. But it never took off on the scale everyone expected.

So where does that leave security? That depends on what kind of security we’re talking about. Operational security (managed firewalls and IDS/IPS, etc.) has been a struggle. There has been consolidation (Symantec/Riptech, VeriSign/Guardent) and there are very few start-ups left trying to go it alone. Why? It gets back to the consistency thing. Having to manage multiple types of equipment is hard and it’s even harder to achieve sufficient economies of scale. The intense competition in this space has also hurt things, given the inevitable pricing pressure when too many vendors are chasing too few users.

Operational managed security will continue to see growth moving forward because access routers and very functional firewalls have become cheap enough that it’s now cost effective to just replace the equipment as part of a managed services deal. This allows the consistency that enables service providers to make money. Telecom carriers will increasingly become involved in this market, since fairly mature markets requiring operational scale is where the carriers play most effectively. Expect to see more consolidation, MCI (now Verizon) buying NetSec being the beginning. AT&T has been trying to wedge into this space, expect them to acquire some smaller players this year.

That brings us to the “in the cloud” services, where it doesn’t matter where the activity takes place, either on prem or in the network. Anti-spam, spyware, encryption and web filtering fit into this category. As mentioned in the content security Incite, services to provide these functions are legitimate and in many cases, better options for most customers.

Historically, it was always perceived that MSS was more applicable to smaller companies, since SMB users tend not to have large IT staffs. That characterization is pretty accurate, though the distribution channel to those users is challenging, favoring the telecom carriers (who already do business with these firms) to prevail in offering SMB MSS services.

Yet enterprise customers are embracing MSS-type offerings as well, since they have figured out their large and expensive IT staffs can be better utilized on more strategic endeavors. It’s that whole core vs. context discussion that Geoffrey Moore has been driving. Managing firewalls or anti-spam policies may not be core for your company. In most cases it’s not, so having someone else do it allows you to focus on something that can help you differentiate in the marketplace.

So, what’s the catch? It’s pretty much the same as any other outsourcing relationship. Clear accountabilities and operational responsibilities need to be divvied up between the service provider and internal staff. Some things, like compliance, can’t really be outsourced, so there needs to be clear demarcs and sufficient information sharing to ensure internal staff can report on what’s important.

This also makes evolving to a hybrid MSS/internal operations stance challenging. In the mainframe world, it was pretty straightforward. Basically, your move your applications data to the outsourcer’s processing center and you turn your iron off. Obviously it’s more complicated than that, but not too much. Figuring out how to move and provision the operations of your security infrastructure is far more challenging. But, as MSS has matured, the service providers are defining best practices to streamline the transition.

Make sure you have a Plan B if your service provider is acquired, given the consolidation both with smaller service providers and large carriers. The logic behind these acquisitions is to gain critical mass and/or industry specialization. Thus, the acquirer NEEDS to streamline operations to gain the economies of scale to make the deal pay off. This can (and usually does) impact service levels, so watch your SLAs (service level agreements) like a hawk. If issues arise, thump the service provider on the head and use the out-clause in the contract (you have an out-clause if the service provider is acquired, right?) to look at other options.

But, by all means, check out MSS. This could be the year you get out of managing boxes and start managing your security program.

That’s all for Day 9. I’m traveling until Friday, so may not be able to post until then. Next up, we’ll switch gears and discuss building software securely.